Apple's Mojave operating system contains a vulnerability that could be exploited by attackers to access protected files
The new Mojave Mac OS that has new security features contains a zero-day vulnerability that could enable attackers to access private data. The flaw was found by security researcher at Digita Security Patrick Wardle, who tweeted a video demonstrating how he exploited the flaw to access a user's address book.
Ironically, the vulnerability is in new privacy protections implemented in Mojave. These require explicit consent by users for apps to access sensitive areas like location services, contacts, calendars, reminders, photos, etc. It's meant to thwart hackers looking to use synthetic clicks to simulate human finger touches and gain access to private information. Now, authorization prompts pop up that require direct, real user interaction before an app can tap sensitive information. However, users can whitelist, or preauthorize trusted apps.
Wardle was able to access the confidential user contacts using an unprivileged app, which meant it did not run with administrator permissions. The bypass does not work with all of Mojave's new privacy protection features and does not affect hardware-based components such as webcams.
There are few technical details available relating to the zero-day vulnerability, which is expected since Mojave's release is so recent and so that hackers can't use the information to exploit the bug. A detailed explanation of the security flaw will be released in November at the Objective by the Sea conference. Apple has yet to comment on the vulnerability, so look for future OS updates for a bug fix. Since MacOS Mojave was only officially launched on September 24, the finding is considered a zero-day vulnerability.