Apple’s macOS Mojave is now available for download on iMac and MacBook system. While the latest version of macOS brings a host of new features, a security researcher has detected a new vulnerability in Mojave OS. The ‘zero-day’ privacy flaw was unearthed by Patrick Wardle, the chief research officer at Digita Security.
Patrick posting a video on Twitter revealed a privacy feature bypass which is said to be designed to prevent apps from accessing a user’s personal data. The video first spotted by TechCrunch, Patrick told the site that the bug could potentially allow a malicious app to take a user’s protected data, for instance, contacts, when a user is logged in. The one minute clip shared by the researcher shows how an app can be used to manipulate the MacOS system, bypass privacy controls and permit access to a user’s credentials. With the operating system denying access to Wardle’s stored contacts, it later copied his entire address book to the desktop after running an unprivileged script simulating a malicious app, TechCrunch points out. Notably, the security flaw was detected before the macOS Mojave public release.
While Wardle cited that his findings are not a “universal bypass” of the feature to the site, he, however, mentioned the vulnerability to be “trivial, albeit 100 per cent reliable flaw in their implementation.”
This is not the first time a vulnerability has appeared on macOS. In August last year, Wardle revealed a bug ‘CVE-2017-7150’ that is said to impact the modern version of Apple’s macOS software before version 10.13. The researcher back then suggested Apple should bring a macOS bug bounty program for “charity” which otherwise comes for a price up to $2,00,000 for iPhones and iPads.