{"id":22875,"date":"2018-09-25T16:05:45","date_gmt":"2018-09-25T20:05:45","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=22875"},"modified":"2021-07-06T17:00:18","modified_gmt":"2021-07-06T21:00:18","slug":"bypassing-mojave-security-protections","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/09\/25\/bypassing-mojave-security-protections\/","title":{"rendered":"Bypassing Mojave Security Protections"},"content":{"rendered":"

Juli Clover<\/a>:<\/p>\n

\n

Researcher Patrick Wardle, who has uncovered many security flaws in Apple’s macOS operating system, today shared some details on a new vulnerability that he’s found in the newly released macOS Mojave update.<\/p>\n

As outlined by BleepingComputer<\/a>, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.<\/p>\n<\/blockquote>\n\n

And a separate vulnerability from Sentinel One<\/a>:<\/p>\n

\n

Here, we have remotely logged in to Sally’s user account via ssh<\/code> and retrieved the last website she visited, a banking logon page, by reading the LastSession.plist<\/tt> stored in the (supposedly) protected Safari folder.<\/p>\n

Importantly, the ability to ssh<\/code> into the local account and traverse the protected folders does not require pre-approval of Terminal in Full Disk Access, and can even be performed locally by Sally herself with ssh<\/code>[…] In short, any local or remote user can bypass the Full Disk Access requirement simply by logging in via ssh<\/code>.<\/p>\n<\/blockquote>\n\n

This is pretty demoralizing. I’ve spent months trying to make smooth user experiences in spite of the hurdles Apple has added for developers (in some cases without even telling them). Some things are broken<\/a> and not in my control to fix. Even once things settle down, my customers will still have to jump through extra hoops to use my apps. And yet the bad guys can still get at the protected data, anyway.<\/p>\n\n

Presumably these will be fixed, and maybe Apple will eventually improve the user interface, but it just seems like this shipped far before it was ready. As did the rest of Mojave, as there wasn’t even time to distribute a GM build<\/a>.<\/p>\n\n

Previously: Mojave’s New Security and Privacy Protections Face Usability Challenges<\/a>.<\/p>\n\n

Update (2018-09-25): Jeff Johnson<\/a>:<\/p>\n

\n

I’ve got 1 too, different from the other 2<\/p>\n<\/blockquote>\n\n

Update (2018-09-26): Dave Nanian<\/a>:<\/p>\n

\n

The nice thing about the Vista-ing of Mojave is that it’s a huge pain for everyone but the people who you have to worry about.<\/p>\n<\/blockquote>\n\n

Update (2018-09-27): Jeff Johnson<\/a>:<\/p>\n

\n

I used a different attack vector than SentinelOne (ssh) and Wardle. I don’t know what Patrick’s attack vector is, but I did ask him if he used mine, and he said no. So there are at least 3 different privacy protection bypasses in Mojave. I suspect that there are even more.<\/p>\n<\/blockquote>\n\n

Update (2018-11-06): Jeff Johnson<\/a>:<\/p>\n

As of today, the support document does not mention the privacy protection bypass that I discovered and alluded to in my blog post. Nonetheless, macOS 10.14.1 does appear to fix the main issue, although there remain other avenues for bypassing Mojave’s privacy protections under certain conditions.<\/p>

[…]<\/p>

The privacy protection bypass that I discovered is quite simple. It’s obvious that Apple exempted some of its own code from Mojave’s privacy protections; for example, you’re able to navigate protected folders in Finder without triggering permission dialogs.[…] The body in this case was Automator. Or more accurately, \/usr\/bin\/automator<\/code>.<\/p>

[…]<\/p>

Another possible way to bypass Mojave privacy protections is to “piggyback” on another app. Even if a malicious app is unable to obtain special permission itself, the app can use another app that has already been granted permission, such as Terminal app.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"

Juli Clover: Researcher Patrick Wardle, who has uncovered many security flaws in Apple’s macOS operating system, today shared some details on a new vulnerability that he’s found in the newly released macOS Mojave update. As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-09-25T20:05:47Z","apple_news_api_id":"2dc4e12a-e90f-471e-b463-03ca3fd3445c","apple_news_api_modified_at":"2021-07-06T21:00:23Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAACA==","apple_news_api_share_url":"https:\/\/apple.news\/ALcThKukPRx60YwPKP9NEXA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1040,131,2095,30,1609,355,48,506,318,1960],"class_list":["post-22875","post","type-post","status-publish","format-standard","hentry","category-technology","tag-automator","tag-bug","tag-exploit","tag-mac","tag-macos-10-14","tag-privacy","tag-security","tag-ssh","tag-terminal","tag-transparency-consent-and-control-tcc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=22875"}],"version-history":[{"count":6,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22875\/revisions"}],"predecessor-version":[{"id":23306,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22875\/revisions\/23306"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=22875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=22875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=22875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}