Security researcher claims macOS Mojave privacy bug on launch day – TechCrunch

A security researcher has declared a new vulnerability in the latest version of macOS, just hours before the release of the software.

Patrick Wardle, Research Manager at Digita Security, tweeted a video Monday from the workaround function of an apparent privacy feature designed to prevent applications from incorrectly accessing a user's personal data.

For years, Macs have forced applications to request authorization before accessing your contacts and calendar after some iOS apps have been intercepted when downloading private data. Apple said at its annual developer conference this year that it will extend the functionality to apps requesting permission to access the camera, microphone, email, and backups.

Wardle told TechCrunch that his findings are not a "universal bypass" of the feature, but that the bug could allow a malicious application to recover some protected data, such as a user's contacts, when a user is connected.

The video shows the operating system initially rejecting access to its stored contacts, but then copying its full address book to the desktop after running an unprivileged script that simulates a malicious application.

Wardle does not yet disclose the specifics of the bug, he said, because he does not want to put users at risk, but abandoned the video in frustration at the lack of a bug bonus. to the company.

"Other operating system vendors have recognized that any software has vulnerabilities," but that Apple is "doing everything it can."

Apple was one of the last big companies to launch a bug bonus program, offering researchers money security in exchange for vulnerabilities revealed in a responsible manner. Apple has started offering bonuses of up to $ 200,000 for the most serious iOS bugs. But the company neglected to bring the program to macOS, for unknown reasons.

"Unfortunately, Apple does not have to change its approach to security, but it is not," he said. "As a general rule, companies do not change anything before realizing

We have contacted Apple for feedback and we will update if we hear your response.

This is the second time that Wardle has released the details of a serious vulnerability in macOS on launch day – the most recent case date from almost a year ago at the MacOS High Sierra launch. .

Wardle should talk more about the technical details of the Mojave bug at the Objective-by-the-Sea conference in November, he said.

Apple will release macOS Mojave later on Monday.