In a subsequent interview with Bleeping Computer, Johnson said he’d stumbled on the issue while working on his own Safari extension through an unspecified API: those signed by a Developer ID that have passed Apple’s automated malware checks). The only caveat was that the bypass doesn’t work for sandboxed apps and applied to those running outside that as “notarised” apps (i.e. In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history. There are no permission dialogs, it Just Works™. Last week, just when it looked as if Apple might have got on top of the issue, StopTheMadness browser extension developer Jeff Johnson announced a new issue affecting all versions of Mojave including the 10.14.3 supplemental update released only days earlier.Īccording to Johnson, he discovered a way to access ~/ Library/ Safari without asking the system or user for permission – a directory that should only be accessible via privileged apps such as the macOS Finder. no admin permission) to access the address book.Īccessed via System Preferences > Security & Privacy > Privacy, other reported bypasses followed soon after, all apparently addressed by updates to Mojave. Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws.Įmbarrassingly for Apple, it’s not proved a tough challenge with the first turning up on launch day when one researcher reported a surprising bypass of privacy protection using an ordinary app (i.e.
0 Comments
Leave a Reply. |