A security researcher discovered a zero-day vulnerability in the MacOS Mojave that allows hackers to access secured system files. This Mojave privacy bypass bug coincided with the date of release of Mac’s latest version. Thus, the bug seemingly affects all Mojave users for now.
Mojave Privacy Bypass Bug Makes Protected Files Vulnerable
Security researcher Patrick Wardle once again came up with a thrilling discovery. He found a zero-day Mojave privacy bypass bug. The zero-day vulnerability found in the latest MacOS allows hackers to access secured files on the system. He shared his discovery in a tweet.
Mojave's 'dark mode' is gorgeous 🙌
…but its promises about improved privacy protections? kinda #FakeNews 😥
btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏
— patrick wardle (@patrickwardle) September 24, 2018
Allegedly, he discovered a flaw that allows an attacker to access the protected files within a system. The researcher could even access contacts using an “unprivileged app” without admin permissions.
Wardle has shared the exploit where he used the app to copy data from the address book in the video shared below.
Apple Yet To Patch The Flaw
Mojave has supposedly restricted user data protections by forcing apps to ask for explicit permissions from users. This includes permissions to access contacts, calendar, location, photos, and other information. This prevents apps from auto-simulating user input. Nonetheless, the recent privacy bypass bug certainly demands a quick patch to avoid any compromise to Mojave’s security feature.
Wardle confirmed in his tweet that he has reported the vulnerability to Apple that affects the latest MacOS Mojave. He further explained that the bug not only affects dark mode, but rather all modes. Wardle has planned to further shed light on this issue in the upcoming Mac Security Conference in November.