New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps - MacRumors
Skip to Content

New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

by

Apple introduced Gatekeeper in 2012, creating it as a method of protection for users against malicious threats by adding various layers of security during installation of Mac apps. The feature is intended to ensure that apps users try to install on their Macs are legitimate and signed by a registered developer, minimizing the threat of malware. But now, a security researcher has discovered a simple method of bypassing Gatekeeper using a binary file already trusted by Apple to attack a user's computer (via Ars Technica).

macbook_pro_15_imac_27
Gatekeeper is meant solely to check the initial digital certificate when an app is downloaded on a Mac, ensuring that the program has been signed by an Apple-approved developer or at least comes from the Mac App Store itself before allowing the installation to proceed.

"If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Patrick Wardle, director of research of security firm Synack, told Ars. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files."

Even if Gatekeeper is enhanced to its highest level of security settings, the new exploit can take advantage of a computer. Once the trusted file makes its way past the security program, it can then execute a handful of other malicious programs attached with the rest of the installation and gains the ability to install malicious software such as password-stealing programs, apps that can capture audio and video from a Mac's camera, and botnet software.

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed. Wardle plans to showcase his research on the Gatekeeper exploit at the Virus Bulletin Conference on Thursday in Prague.

Tag: Gatekeeper

Popular Stories

Apple Card iPhone 16 Pro Feature

Apple Card Promo to Offer Free AirPods Pro 3

Friday May 15, 2026 8:59 am PDT by
Starting as early as next week, customers who sign up for an Apple Card at Apple's retail stores in the U.S. will receive $249 cash back when they purchase AirPods Pro 3, according to Bloomberg's Mark Gurman. The promotion has yet to be officially announced by Apple, so exact terms and conditions are not available at this time. AirPods Pro 3 are priced at $249 in the U.S., so customers who...
Read Full Article47 comments
Apple WWDC25 iOS 26 CarPlay Light mode 250609

Six Popular iPhone Apps Now Available on CarPlay

Thursday May 14, 2026 9:10 am PDT by
Apple's CarPlay system for accessing iPhone apps on a vehicle's dashboard screen has received six popular apps in recent weeks: ChatGPT, Perplexity, Grok, Google Meet, WhatsApp, and the indie artist streaming platform Audiomack. Make sure you have the latest version of each app and they will automatically appear on CarPlay. ChatGPT Starting with iOS 26.4, CarPlay supports voice-based...
Read Full Article29 comments
ipad mini 7 blue

OLED iPad Mini: Release Date, Pricing, and What to Expect

Thursday May 14, 2026 5:08 am PDT by
According to the latest rumors, Apple is close to launching its next-generation iPad mini. So what should we expect from the successor to the iPad mini 7 that Apple released over a year ago? Read on to find out. Processor and Performance Apple is working on a next-generation version of the iPad mini (codename J510/J511) that features the A19 Pro chip, according to information found in code...
Read Full Article88 comments

Top Rated Comments

Codyak Avatar
Codyak
139 months ago
-Gategate
Score: 20 Votes (Like | Disagree)
cariacou Avatar
cariacou
139 months ago
Your Mac has either a 14nm Samsung CPU or a 16nm TSMC CPU.

To check which one you have, please click on this link...
Score: 13 Votes (Like | Disagree)
D
DavidTheExpert
139 months ago
There's a very simple way to avoid malware on any computer: Don't install anything you don't trust.
Score: 6 Votes (Like | Disagree)
L
Lord Hamsa
139 months ago
I'm not particularly concerned about this "exploit". Anyone seeking to make use of it could just as easily put the malware directly in the developer-signed application in the first place. Why go through the extra steps of invoking additional applications when you can do it in the initial one?

The only thing that keeps the self-signed applications on the up-and-up is that the developer ID can be revoked for bad behavior - whether it's in the signed application or a bundled application called by it makes little difference if the developer is doing this intentionally.

The only real attack vector here is if an application is known to invoke "helper" executables, and someone executes a man-in-the-middle attack to create a modified distribution with the legit signed main application but with one or malware-infected helper executables, and then pass that off as a legit bundle. Possible, but limiting downloads to trusted/official sites will prevent that.
Score: 4 Votes (Like | Disagree)
garylapointe Avatar
garylapointe
139 months ago
I tend to assume that there are ways around all forms of security protection.
But the app store has always made me feel a little safer...

Gary
Score: 4 Votes (Like | Disagree)
Jess13 Avatar
Jess13
139 months ago
-Gategate
Perfect haha.
Score: 3 Votes (Like | Disagree)
Read All Comments