If you're new to AirPods, considering buying a pair, or just want to pick up some new tips.
AirPods and AirPower: Everything We Know
Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files
Researcher Patrick Wardle, who has uncovered many security flaws in Apple's macOS operating system, today shared some details on a new vulnerability that he's found in the newly released macOS Mojave update.
As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.
According to Wardle, the vulnerability is a result of the way that Apple implemented new macOS privacy protections in the Mojave update.
In the macOS Mojave update, Apple made a change that requires explicit user consent for apps to access location data, camera, contacts, calendars, reminders, messages history, Safari data, mail databases, and other sensitive data, which should prevent the vulnerability that Wardle demonstrates.
Apple will undoubtedly address the security flaw discovered by Wardle in an upcoming update to macOS Mojave.
As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.
According to Wardle, the vulnerability is a result of the way that Apple implemented new macOS privacy protections in the Mojave update.
"I found a trivial, albeit 100% reliable flaw in their implementation," he told us, adding that it allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization.The bypass does not work with all of the new privacy protection features in macOS Mojave, and hardware-based components, such as the webcam, are not affected. Full details on the vulnerability are not available yet, as Wardle plans to share technical details in November.
In the macOS Mojave update, Apple made a change that requires explicit user consent for apps to access location data, camera, contacts, calendars, reminders, messages history, Safari data, mail databases, and other sensitive data, which should prevent the vulnerability that Wardle demonstrates.
Apple will undoubtedly address the security flaw discovered by Wardle in an upcoming update to macOS Mojave.
Related Roundup: macOS Mojave
[ 96 comments ]
Top Rated Comments
(View all)
21 weeks ago
As a security researcher professional, this is entirely inappropriate. He should have contacted Apple during the beta release cycle and gotten it fixed. If Apple needs more time to fix it, and is aware of the issue, then you keep the vulnerability under wraps so that other hackers do not exploit your vulnerability while it has no fix.
The only reason to publish a vulnerability with no fix is if the vendor WILL NOT FIX the vulnerability. I doubt that is the case here. This Wardle is seeking attention, and should be looked down upon.
See the guys listed here? These are the true professionals, they did it right.
https://support.apple.com/en-us/HT209139
The only reason to publish a vulnerability with no fix is if the vendor WILL NOT FIX the vulnerability. I doubt that is the case here. This Wardle is seeking attention, and should be looked down upon.
See the guys listed here? These are the true professionals, they did it right.
https://support.apple.com/en-us/HT209139
21 weeks ago
why come forward today and not earlier that Apple can fix this before Mojave release ? i wonder...
21 weeks ago
Why dont they do proper testing?
Yeah they should have a beta program or something with a feedback app, then this would’ve been discovered months ago :rolleyes:
21 weeks ago
Why dont they do proper testing? A bit embarrassing for a trillion dollar company.
21 weeks ago
It requires the Mac to be unlocked in the first place, so this isn’t the worst security flaw in the world.
21 weeks ago
Oh goodie, now we can have all of the usual suspects flock here to take a **** on Apple
21 weeks ago
I think it is perfect timing. The more attention these issues get the better for consumers. As long as he doesn't sell zero day on blackmarket but shares it with public i am good with it.
Seems like you are more concerned with reputation of the brand Apple than their customers security.
It does not matter that it was Apple, it could have been Microsoft releasing the latest Windows 10 "creator update" or whatever they are flavoring their builds as. If you have knowledge of a vulnerability during beta, you report it during beta and they fix it during beta. It is that simple.
This guy took the time to discover the vulnerability, write an exploit for it that worked, then sat on his hands until release day to make a statement and get publicity. That is what I have an issue with. It was unethical, and unprofessional.
21 weeks ago
If this guy has access to the various betas, this is a real chump move. The defect would have been present in at least the last beta, if not before.
21 weeks ago
Why on earth has Patrick Wardle made this public? Talk about has disrespect for security and also getting disrespected by the security industry for how h has announced it. Very unprofessional from his side.
21 weeks ago
And that's why you never install a new major macOS version until at least a couple of months have passed
[ Read All Comments ]
Parallels this week debuted a new promo bundle for both new and current users, offering a chance to buy or upgrade to Parallels Desktop 14, and then get ten other Mac apps for free. New owners can...
Over the past few weeks, a handful of users have reported receiving the message "an error occurred" when attempting to load the "For You" tab in iTunes, which provides personalized...
The latest Apple Pay promotion offers you the chance to get $5 off movie tickets with Fandango. To see the discount, you'll have to purchase two or more tickets within a single transaction...
Google Maps this week updated its iOS app with a new "Follow" feature, letting you keep track of events and news from your favorite local restaurants, bakeries, or bars. You can follow a...
Twitter today launched its Twitter Prototype Program and is accepting applications from people who want to beta test new Twitter features on iOS devices. Twitter's tests will be done through a...
Shazam, the song discovery app that's now owned by Apple, received a minor bug fix update last week, which, according to AppFigures, removes all third-party SDKs.
Shazam for iOS is no longer...
As of February 27, 2019, Apple is requiring that all Developer accounts with an Account Holder role be secured with two-factor authentication in order to ensure that only the account owner is able to...
Apple today seeded the third beta of an upcoming tvOS 12.2 update to its public beta testing group, one day after providing the beta to developers and a week after releasing the second tvOS 12.2...
