In its WWDC 2018 keynote, Apple had introduced a new security feature that forces applications recently installed to prompt the user to ask for permissions – “Allow” or “Deny” – to gain access to sensitive information including location, contacts, messages and storage. This feature restricted an application from gaining access to user date without the users prior permission. But now it seems that this feature has a flaw.
Former NSA security researcher and current Chief Research Officer at Digita security Patrick Wardle brought a serious security issue to day light in his talk ‘An 0 day in MacOS’ at the conference Objective by the Sea on 2nd June. 0 day (or zero-day) is an exploit against an unpatched flaw or vulnerability. Wardle’s publicly demonstrated the flaw in Apple’s newest update because his previous reports were being ignored by Apple. The bug doesn’t cause a serious threat as it merely bypasses some prompt warning on the user’s behalf without causing any damage to the core system of the computer.
Wardle showed that an application can ‘click’ through the dialog prompt in order to gain access to sensitive data or security permissions. These clicks are synthetic meaning that no user is required grant permissions to a program to gain access to user data or component. Though Wardle himself says this flaw isn’t a very serious one because he had previously reported it to Apple and is nothing more than a mere tweak, Apple hasn’t yet released a patch to fix this issue.
Wardle had previously demonstrated another vulnerability of MacOS in 2017 which after Apple released its patch resolved the famous bug which used to store passwords as plaintext. He has been bringing similar issues to light. He has shown his concerns to Apple’s security issue through his tweets (like here) and his talks. But Apple has always delayed his reports.
Legitimacy of an application is verified using a digital certificate which authenticates whether the application bundle is from a trusted source, whether it has been modified and also ensures malwares stay out by raising an error in case the application has been modified or any trust issues are detected. What happens with MacOS’s flaw is that it only verifies the source and not the whole application bundle for any modifications. Due to this any application which has been manipulated can bypass through without raising any error. Thus, any malware programmed to make use of synthetic clicks can gain access to sensitive user data. This malware can make use of mouse keys which would make the use of mouse clicks redundant to click ‘Allow’ and gain access to wanted information.
This puts that application in whitelist and if it has been manipulated somehow, the malware can performs its designated actions. This means the tweaked application can gain access to not only contacts, location and messages but also to webcam and microphone. Which can transmit much more personal date if the application can also bypass the firewall. The dialog boxes are meant to act as speed breakers when permissions regarding security settings is concerned.
Wardle demonstrated this using VLC Media Player which is a popular all media player as it’s customizable and open source. User can install various plugins which can enhance its feature but Wardle showed how this can be used to include a malware plugin to exploit the bug in MacOS.
Apple has many security features which has made it more reliable and trustworthy since years. But recent updates have been ruining its this reliability and if not fixed soon small issues like these can bring big problems for not only its consumers but Apple itself.
Apple hasn’t released any patch yet nor have they provided any new update on this matter. But Wardle has raised his concerns.
As of yet, Mac users can do nothing but wait until Apple issues another update.
