June 4, 2019 at
Last June, at the Apple’s Worldwide Developer’s conference, a
new privacy feature in MacOS Mojave has been presented. The senior vice
president Craig Federighi claimed that the feature has been created to force
applications to ask the users if they want to either allow or deny access to
sensitive components or data such as the camera, microphone, messages or
While the audience applauded the new reveal, the ex-NSA security researcher Patrick Wardle had a completely different reaction after watching the keynote of the conference. So, why is that so? It seems that over the last year, he has discovered a way to invisibly click through those prompts which led him to the conclusion that the new feature announced is, in fact, a worthless security safeguard. After he had revealed those security issues that existed, Apple has fixed them in the following months.
However, after this year’s Worldwide Developer’s conference, he had discovered for the third time a security problem that Apple was not able to see showing again that any piece of automated malware can exploit the feature called synthetic clicks. He did it by exploiting a bug in Mojave once again and proved that it is possible to breeze through the security prompts and allow any prospective attacker to get access to those sensitive components including camera and microphone.
He claims that Apple’s marketing only focuses on
click-to-allow security prompts while, in fact, they are still not stopping any
prospective attackers from converting those clicks with simple bugs.
It is known that synthetic clicks have been used for a long
time now to allow disabled users to use any device just like others do. Apple
claims that for blocking any malicious use of those synthetic clicks the system
requires any application that uses them to be added by the user to a list that
has been approved by them. Yet, it seems that there has been found that there
is an exception for this rule that was by default integrated into MacOS
systems. Some applications such as VLC, Adobe Dreamweaver, and Steam don’t need
the user’s pre-approval to use those synthetic clicks.
The ex-NSA security researcher was able to discover within an hour that there is a very simple way to trick MacOS into treating his own malware as a part of the white list. He also found that he was able to modify an approved program such as VLC to include his malware resulting in making the program to generate clicks at will. Thus, he compared the security feature that is not so relevant with checking an ID just by checking the name on it but not its validity also.
The allow and deny security prompts did appear on the screen
for a short period of time but a synthetic click dismissed it without creating
any problem for an attacker to do exactly the same and access sensitive components.
Moreover, he claims that his malware is able to dim the screen making the
computer appear like it is sleeping. Thus, a synthetic click attack can be
carried out without the prompt even become visible to the user. He concluded
that a hacker could gain access with a malicious attachment in a phishing email
or other common technique which would allow the malware to expand and access
even much deeper into the targeted system.
As it is the third time that Wardle has revealed another flaw
in Apple’s security systems, Apple Company has been asked about the discoveries
made by the ex-NSA security researcher but did not give any official answer
yet. Wardle claims that the carelessness of Apple regarding the security
problem that he had found and exposed to the company made him become more
focused on putting more pressure on the company to fix all the bugs and provide
better security to their users.