While one of Apple's flagship announcements for macOS Mojave precisely concerned the protection of personal data through, in particular, a “Dark Mode”, a security flaw allowing access to some of this data was pointed out. finger by the co-founder of DigitaSecurity. In terms of security, the firm at the apple will therefore have kept its promises only a few hours, since these flaws were discovered on the very day of the deployment of the latest version of macOS.
It was on Vimeo that Patrick Wardle demonstrated that with a command prompt, a handful of seconds is enough to bypass part of the protection system designed by Apple, to finally get his hands on contacts from the address book of the bone. A vulnerability that the person subsequently shared on Twitter . However, it would only allow “limited” access to the user's personal data.
In an interview with Bleeping Computer Patrick Wardle explained his modus operandi. To get around the user authorization system set up by Apple, the researcher used an application that can be launched without specific authorization. The latter then made it possible to exploit the zero-day flaw. A flaw due to the way in which the brand “ has implemented its protections for various types of private data, ” he said without going into further details.
An advertisement that Apple would have gone well without, but a flaw of moderate severity
Details, however, he plans to give more at a security conference to be held in November. In the meantime, it is clarified that if the flaw discovered is not of absolute gravity, it is valid for anyone seeking to penetrate the protection system. The person concerned describes the said vulnerability as “ trivial, but 100% reliable (…) “. A priori, however, the latter has nothing to do with a universal bug. As stated by CNet US , it would not impact the other data protection features of macOS Mojave.
Note that Patrick Wilson is currently seeking to contact Apple in order to share, in detail, his discovery to the firm. For now, the brand has not yet followed up, but, good prince, the researcher would like to donate the reward that Apple could offer him to a charity.
Mojave's 'dark mode' is gorgeous 🙌
… But its promises about improved privacy protections? kinda #FakeNews 😥
0day bypass: https://t.co/rRf8t7C7Zf
btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏
– patrick wardle (@patrickwardle) September 24, 2018