Apple released the macOS Mojave 10.14 update last night, which brings a number of new features such as Dark Mode, Dynamic Desktop, Stacks, among others. The software update also brings bug fixes and performance improvements, but hours after its release, a security researcher has found a new vulnerability that could leave your data at risk.
According to security researcher Patrick Wardle, the flaw bypasses the operating system’s privacy protection and leaves user data like contacts vulnerable. The researcher has also demonstrated how the bypass works in a small one-minute video. When Apple unveiled the macOS Mojave at WWDC 2018, it talked about “improved privacy protections” but looking at the vulnerability, it is evident that Apple has failed to deliver on its promise.
With macOS Mojave, Apple has made a major change that will require user consent for apps to access data, contacts, reminders, message history, camera, mail databases and other sensitive information. This should have prevented the vulnerability demonstrated by the security researcher.
Speaking to Bleeping Computer, Wardle said “I found a trivial, albeit 100% reliable flaw in their implementation,” he told us, adding that it allows a malicious or untrusted app to bypass the new security mechanism and access the sensitive details without authorization.”
Watch: Apple bypass vulnerability discovered by security researcher
The demo video shows how one can quickly and easily access to contacts after Terminal first denied access to the data. About the specifics, Wardle mentioned that he will share the specifics with Apple, and also plans to offer the earned bounty to the charity. He will further share more information at a Mac security conference, Objective by the Sea, in November.