White hat hacker found a macOS Mojave privacy bypass 0-day flaw on release day
25.9.2018 securityaffairs

The popular macOS expert and former NSA hacker has discovered a zero-day vulnerability in macOS on Mojave ‘s release day.
It is always Patrick Wardle, this time the popular expert and former NSA hacker has found a zero-day flaw in macOS on Mojave ‘s release day.

According to the expert, the implementation bug can be exploited to access sensitive user data, including information in the address book.

The vulnerability resides in the implementation of the privacy-protection mechanisms for sensitive data.

The user data protection measures introduced in macOS Mojave force the users to provide the explicit consent for access sensitive data and files (i.e. location services, contacts, calendars, photos).

Applications can no longer do this automatically by simulating human input with synthetic clicks. Apple’s latest OS displays an authorization request for direct user interaction.

In order to improve the user experience, the OS allows the user to pre-authorize the apps they want to allow access to the sensitive data.
This is possible by adding them to the system’s Application Data category in the System Preferences, Security & Privacy panel.

Wardle was able to access the sensitive data using an unprivileged app.

“I found a trivial, albeit 100% reliable flaw in their implementation,” he told Bleeping computer.

Wardle explained that the exploitation of the zero-day issue only works on Mojave’s new privacy protection features.

patrick wardle

Mojave's 'dark mode' is gorgeous 🙌
...but its promises about improved privacy protections? kinda #FakeNews 😥

0day bypass:https://vimeo.com/291491984

btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏

3:45 PM - Sep 24, 2018
216 people are talking about this
Twitter Ads info and privacy
Below the video PoC published by Wardle, it shows the expert that tries to copy the content of the address book and denies the operation when the operating system asks for permission. Wardle then uses an unprivileged app that allows him to access the address book data.

Wardle plans to present technical details of the zero-day flaw in the upcoming Mac Security conference in Maui, Hawaii, in November.