Bypass Flaw in Newly Released macOS Mojave Update Lets Hackers Access Protected Files

Researcher Patrick Wardle, who has uncovered many security flaws in Apple's macOS operating system, today shared some details on a new vulnerability that he's found in the newly released macOS Mojave update.

As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.


According to Wardle, the vulnerability is a result of the way that Apple implemented new macOS privacy protections in the Mojave update.

"I found a trivial, albeit 100% reliable flaw in their implementation," he told us, adding that it allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization.

The bypass does not work with all of the new privacy protection features in macOS Mojave, and hardware-based components, such as the webcam, are not affected. Full details on the vulnerability are not available yet, as Wardle plans to share technical details in November.

In the macOS Mojave update, Apple made a change that requires explicit user consent for apps to access location data, camera, contacts, calendars, reminders, messages history, Safari data, mail databases, and other sensitive data, which should prevent the vulnerability that Wardle demonstrates.

macosmojaveprivacy
Apple will undoubtedly address the security flaw discovered by Wardle in an upcoming update to macOS Mojave.

Related Forum: macOS Mojave

Top Rated Comments

SecuritySteve Avatar
73 months ago
As a security researcher professional, this is entirely inappropriate. He should have contacted Apple during the beta release cycle and gotten it fixed. If Apple needs more time to fix it, and is aware of the issue, then you keep the vulnerability under wraps so that other hackers do not exploit your vulnerability while it has no fix.

The only reason to publish a vulnerability with no fix is if the vendor WILL NOT FIX the vulnerability. I doubt that is the case here. This Wardle is seeking attention, and should be looked down upon.

See the guys listed here? These are the true professionals, they did it right.

https://support.apple.com/en-us/HT209139
Score: 52 Votes (Like | Disagree)
fokmik Avatar
73 months ago
why come forward today and not earlier that Apple can fix this before Mojave release ? i wonder...
Score: 31 Votes (Like | Disagree)
dannyyankou Avatar
73 months ago
Why dont they do proper testing?
Yeah they should have a beta program or something with a feedback app, then this would’ve been discovered months ago :rolleyes:
Score: 24 Votes (Like | Disagree)
rafark Avatar
73 months ago
Why dont they do proper testing? A bit embarrassing for a trillion dollar company.
Score: 21 Votes (Like | Disagree)
dannyyankou Avatar
73 months ago
It requires the Mac to be unlocked in the first place, so this isn’t the worst security flaw in the world.
Score: 11 Votes (Like | Disagree)
MacDawg Avatar
73 months ago
Oh goodie, now we can have all of the usual suspects flock here to take a **** on Apple
Score: 10 Votes (Like | Disagree)

Popular Stories

iOS 18 Siri Integrated Feature

iOS 18 Will Add These New Features to Your iPhone

Friday April 12, 2024 11:11 am PDT by
iOS 18 is expected to be the "biggest" update in the iPhone's history. Below, we recap rumored features and changes for the iPhone. iOS 18 is rumored to include new generative AI features for Siri and many apps, and Apple plans to add RCS support to the Messages app for an improved texting experience between iPhones and Android devices. The update is also expected to introduce a more...
iGBA Feature

Game Boy Emulator for iPhone Now Available in App Store Following Rule Change [Removed]

Sunday April 14, 2024 8:06 am PDT by
A week after Apple updated its App Review Guidelines to permit retro game console emulators, a Game Boy emulator for the iPhone called iGBA has appeared in the App Store worldwide. The emulator is already one of the top free apps on the App Store charts. It was not entirely clear if Apple would allow emulators to work with all and any games, but iGBA is able to load any Game Boy ROMs that...
iGBA Feature

Apple Removes Game Boy Emulator iGBA From App Store Due to Spam and Copyright Violations

Sunday April 14, 2024 9:22 pm PDT by
Apple today said it removed Game Boy emulator iGBA from the App Store for violating the company's App Review Guidelines related to spam (section 4.3) and copyright (section 5.2), but it did not provide any specific details. iGBA was a copycat version of developer Riley Testut's open-source GBA4iOS app. The emulator rose to the top of the App Store charts following its release this weekend,...
iOS NES Emulator Bimmy Feature

NES Emulator for iPhone and iPad Now Available on App Store [Removed]

Tuesday April 16, 2024 11:33 am PDT by
The first approved Nintendo Entertainment System (NES) emulator for the iPhone and iPad was made available on the App Store today following Apple's rule change. The emulator is called Bimmy, and it was developed by Tom Salvo. On the App Store, Bimmy is described as a tool for testing and playing public domain/"homebrew" games created for the NES, but the app allows you to load ROMs for any...
iOS 18 Siri Integrated Feature

Apple's First AI Features in iOS 18 Reportedly Won't Use Cloud Servers

Sunday April 14, 2024 9:52 am PDT by
Apple's first set of new AI features planned for iOS 18 will not rely on cloud servers at all, according to Bloomberg's Mark Gurman. "As the world awaits Apple's big AI unveiling on June 10, it looks like the initial wave of features will work entirely on device," said Gurman, in the Q&A section of his Power On newsletter today. "That means there's no cloud processing component to the...
new best buy blue

Best Buy Opens Up Sitewide Sale With Record Low Prices on M3 MacBook Air, iPad, and Much More

Saturday April 13, 2024 7:41 am PDT by
Best Buy this weekend has a big sale on Apple MacBooks and iPads, including new all-time low prices on the M3 MacBook Air, alongside the best prices we've ever seen on MacBook Pro, iPad, and more. Some of these deals require a My Best Buy Plus or My Best Buy Total membership, which start at $49.99/year. In addition to exclusive access to select discounts, you'll get free 2-day shipping, an...
m3 mbp space black

M4 Macs Are Expected to Launch in This Order Starting Later This Year

Sunday April 14, 2024 10:40 am PDT by
Bloomberg's Mark Gurman recently reported that the first Macs with M4 series chips will be released later this year, with more models to follow next year. In his Power On newsletter today, Gurman shared a more specific roadmap for these Macs. Here is the order in which Gurman expects the Macs to launch:1. A low-end 14-inch MacBook Pro with the M4, coming around the end of 2024. 2. A 24-inch ...
top stories 13apr2024

Top Stories: M4 Mac Roadmap Leaked, New iPads in Second Week of May, and More

Saturday April 13, 2024 6:00 am PDT by
Apple's hardware roadmap was in the news this week, with things hopefully firming up for a launch of updated iPad Pro and iPad Air models next month while we look ahead to the other iPad models and a full lineup of M4-based Macs arriving starting later this year. We also heard some fresh rumors about iOS 18, due to be unveiled at WWDC in a couple of months, while we took a look at how things ...