Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

by

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.

malicious attack safari
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.

Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!

In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.

malicious exploit safari
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Top Rated Comments

Kebabselector Avatar
31 months ago

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Surely this should be the default position for any user regardless of the exploit or not.
Score: 9 Votes (Like | Disagree)
NaOH Avatar
31 months ago
There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
Score: 8 Votes (Like | Disagree)
Porco Avatar
31 months ago
I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
Score: 7 Votes (Like | Disagree)
twistedpixel8 Avatar
31 months ago

Surely this should be the default position for any user regardless of the exploit or not.

It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!
Score: 6 Votes (Like | Disagree)
Justanotherfanboy Avatar
31 months ago
His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.
Score: 5 Votes (Like | Disagree)
MrGimper Avatar
31 months ago
I only came here to doff my cap for the use of the word "hoodwinks"
Score: 4 Votes (Like | Disagree)

Top Stories

lg wing

LG Considering Exit From Smartphone Business, Halts LCD Production for iPhone

Wednesday January 20, 2021 5:38 am PST by
LG is considering exiting the smartphone business entirely amid declining shipments and accrued losses of $4.5 billion over the past five years (via The Korea Herald). LG CEO Kwon Bong-Seok cautioned staff earlier today that the company is re-evaluating its presence in the smartphone industry: Since the competition in the global market for mobile devices is getting fiercer, it is about...
2019 mac pro side and front

Tim Cook Gifted Donald Trump 'First' 2019 Mac Pro

Wednesday January 20, 2021 5:45 pm PST by
Apple CEO Tim Cook gifted former United States President Donald Trump with the first 2019 Mac Pro that came off of the assembly line in Austin, Texas, according to a financial disclosure report that was released today (via The Verge). "Mac Pro Computer, the first created at the Flex Factory in Austin, Texas," reads the entry, which values the machine at $5,999, the base price for a Mac Pro....
Apple VR Feature

Bloomberg: Apple's First AR/VR Headset 'Pricey, Niche Precursor' to More Ambitious AR Glasses and Could Launch Next Year

Thursday January 21, 2021 3:27 am PST by
Apple's first virtual reality headset will be a "pricey, niche precursor" to a more ambitious augmented reality product, according to a new report from Bloomberg's Mark Gurman. As a mostly virtual reality device, it will display an all-encompassing 3-D digital environment for gaming, watching video and communicating. AR functionality, the ability to overlay images and information over a view...
Flat MacBook Air Feature

Bloomberg: Apple Working on 'Thinner and Lighter' High-End MacBook Air With MagSafe, Could Launch in Second Half of 2021

Friday January 22, 2021 3:34 am PST by
Apple is working on a "thinner and lighter" version of the MacBook Air that the company plans to release during the second half of this year at the earliest or in 2022, according to a new report by well-connected Bloomberg journalist Mark Gurman. It will include Apple's MagSafe charging technology and a next-generation version of the company's in-house Mac processors. Apple has discussed...
iOS 15 icon mock banner

iOS 15 Rumored to Drop Support for iPhone 6s and 2016 iPhone SE

Thursday January 21, 2021 11:58 am PST by
Apple's upcoming iOS 15 operating system, which we expect to see unveiled in June, is rumored to be dropping support for a few of Apple's older iPhones. According to French site iPhoneSoft, iOS 15 will not be able to be installed on the iPhone 6s, the iPhone 6s Plus, or the 2016 iPhone SE, all of which have an A9 chip. The iPhone 6s and 6s Plus were introduced in 2015 and are now more...
iphone 12 vs iphone 12 mini

Apple Shifting Some Production From iPhone 12 mini to iPhone 12 Pro to Meet Demand

Wednesday January 20, 2021 8:12 am PST by
Apple has reportedly cut production of the iPhone 12 mini by two million units to create more manufacturing capacity for the iPhone 12 Pro, according to a new Morgan Stanley investment note seen by PED30. Apple is believed to have made the switch for the first quarter of 2021 in an effort to combat continuing lead times for the more popular iPhone 12 Pro. iPhone 12 Pro lead times remain ...
iPhone 13 Notch Feature

iPhone 13 Rumored to Feature Smaller Notch, Pro Model Cameras to Use Larger Image Sensor

Thursday January 21, 2021 1:38 am PST by
Apple's iPhone 13 series will feature a redesigned Face ID system that will allow for a smaller notch at the top of the screen, according to a new report today. The rumor comes via hit-and-miss Taiwanese industry publication DigiTimes, whose supply chain sources also claim that the ultra wide-angle lens in Apple's next-generation iPhones is due for an upgrade. The next-generation iPhones'...
maxresdefault

Video Demos macOS Catalina Running on iPad Pro via x86 Emulation

Thursday January 21, 2021 11:36 am PST by
A video demonstrating macOS Catalina running on a current 2020 iPad Pro has been shared on YouTube, giving us a look at an interesting hack that has a Mac OS up and working on one of Apple's iPads. There's limited information about how the process of getting macOS Catalina on an iPad Pro works, but it uses x86 emulation and was done through the UTM software that allows virtual machines to...
iOS 14

Apple Seeds iOS 14.4 and iPadOS 14.4 Release Candidate to Developers and Public Beta Testers

Thursday January 21, 2021 10:14 am PST by
Apple today seeded the RC version of upcoming iOS 14.4 and iPadOS 14.4 updates to developers for testing purposes, with the new betas coming a week after Apple released the second betas. iOS 14.4 and iPadOS 14.4 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad. Paired with the HomePod 14.4 beta that is...
iPhone OIS Feature2

Sensor-Shift Camera Stabilization Rumored to Expand to Entire iPhone 13 Lineup

Wednesday January 20, 2021 7:46 am PST by
The entire iPhone 13 lineup will feature sensor-shift optical image stabilization, compared to only the iPhone 12 Pro Max among current models, according to a brief story preview shared today by Taiwanese publication DigiTimes. "Apple's next-generation iPhones slated for launch in the second half of 2021 will all come with sensor-shift stabilization technology, according to industry...