If exploited properly, a malicious app could fool your MacBook, or any kind of current Mac, into thinking it’s you and do whatever it wants. Security researcher Patrick Wardle, chief research officer at Digita Security, revealed a macOS security loophole yesterday (June 2) at a conference in Monaco dubbed Objective by the Sea. Unfortunately, Apple has not yet patched this flaw, and Wardle told the company of it only last week. To protect yourself, you need to be very careful of applications you download directly from the internet. It would be better to stick to the official Mac App Store instead. Ghost clicks The issue, according to Wardle, is that Apple lets a handful of legacy applications (mostly older versions of current apps such as the popular VLC media player) continue to use “synthetic clicks,” a feature that had let applications bypass Apple’s latest security obstacles by mimicking an authorized user whose permission is needed to allow certain actions. According to EclecticLight.co, the list of legacy apps that Apple has whitelisted to be able to use synthetic clicks includes old versions of Steam, VLC, Sonos Mac Controller, and Logitech Manager. After Wardle and other researchers showed last summer how synthetic clicks could be used to attack Macs, Apple closed the door on the feature with macOS Mojave. But in order to let legacy apps continue to function — Wardle had warned that killing synthetic clicks entirely would “break many legitimate applications” — those older apps got a waiver. “This is frustrating as a researcher to continually find ways to bypass Apple’s protections,” Wardle told Threatpost. “I would be naïve to think that there are no other hackers or sophisticated adversaries that have also found similar holes in Apple’s defenses.” Not checking the chambers Apple does have another safeguard. It permits only applications on an Apple whitelist to use synthetic clicks, whether those apps are legacy or not. The problem is that the verification process is deeply flawed. MacOS is only verifying the apps by checking their digital signatures, and not by actually checking the code inside of those apps or making sure they don’t load extra code after they start running. Yesterday, Wardle proved his concerns valid by injecting a malicious plugin into VLC, one that could perform synthetic clicks — fake user actions — that Apple typically blocks in apps. Imagine a TSA security agent who only checks your ID and doesn’t slide your luggage through the scanning tray. That’s the issue here. “The way they implemented this new security mechanism, it’s 100 percent broken,” Wardle told Wired. “I can bypass all of these new Mojave privacy measures.” Fooling the user It’s not difficult to fool users into installing applications that have been corrupted and weaponized against the user. A major example of this happened in real life in March of 2016 with the popular BitTorrent client Transmission. An attacker might not even need to fool anyone. In 2016, Wardle showed how a corrupted update to legitimate software the user had already installed – in this example, Kaspersky Internet Security for Mac – could bypass all of Apple’s security mechanisms to infect a Mac. Sloppy security practices Wardle’s latest talk has been reported on by a number of outlets, including The Register. How did this happen? Wardle told The Register that “If any security researcher or someone at Apple with a security mindset had audited this code, they would have noticed it. Once you see this bug, it is trivial,” “They are not auditing the code,” he added. “Yhey are implementing these new security features, but the reality is they are often implemented incorrectly.”
Why WWDC Will Usher In a New Era for Apple