Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.


The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!
In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.


The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.



Top Rated Comments

(View all)
Avatar
11 weeks ago

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.


Surely this should be the default position for any user regardless of the exploit or not.
Rating: 9 Votes
Avatar
11 weeks ago
There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
Rating: 8 Votes
Avatar
11 weeks ago
I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
Rating: 7 Votes
Avatar
11 weeks ago

Surely this should be the default position for any user regardless of the exploit or not.


It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!
Rating: 6 Votes
Avatar
11 weeks ago
His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.
Rating: 5 Votes
Avatar
11 weeks ago
I only came here to doff my cap for the use of the word "hoodwinks"
Rating: 4 Votes
Avatar
11 weeks ago
Yikes, that's scary stuff - I had to check to make sure Safari doesn't automatically open "safe" items.
Rating: 4 Votes
Avatar
11 weeks ago

Thanks for the news. I disabled it for both users on the iMac.



Yeah, especially zip files. That extension has been the germ donkey of the tech world for as long as I can remember.


Indeed. A zip file could contain anything.
Rating: 2 Votes
Avatar
11 weeks ago

So glad that I don't have this option checked! Thanks! Also, if you are the rare macOS user who does have a malware or antivirus app, does this apply still? As in, if your malware or antivirus is set up to check the opening of files (whether "safe" or not), then might this help prevent the code from running and thus installing a malicious code?


I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.
Rating: 2 Votes
Avatar
11 weeks ago
Similar to the Mail preference to "Prohibit loading remote content", I always have the "Automatically open safe files" turned off. This is an area where I think Apple should have an install-time option to select among a couple security-level profiles like "I'm lazy" (wide open), "Convenience" (middling), and "Protect and defend" (reasonably strict).
Rating: 2 Votes
[ Read All Comments ]