A security researcher has disclosed a new vulnerability in the upcoming version of macOS, just days before its official release. The bug, which affects the operating system’s privacy protections, was revealed by Patrick Wardle, chief research officer at Digita Security.
The Bug: A Bypass of Privacy Protections?
Wardle tweeted a video showcasing an apparent bypass of Apple’s new feature designed to prevent apps from accessing users’ personal data without permission. The feature, which will be expanded to include camera, microphone, email, and backups access, was touted by Apple at its annual developer conference this year.
However, Wardle claims that his findings are not a universal bypass of the feature but rather a bug that could allow malicious apps to grab protected data, such as contacts, when a user is logged in. The video demonstrates how an unprivileged script simulating a malicious app can copy a user’s entire address book to the desktop.
The Consequences
Wardle emphasizes that he is not releasing specifics of the bug yet, citing concerns about putting users at risk. However, he has expressed frustration with Apple’s lack of a bug bounty program, which he believes disincentivizes security researchers from reporting bugs to the company.
"We’re seeing companies like Google and Microsoft acknowledge that any software will have vulnerabilities," Wardle said. "But Apple is sticking its head in the sand."
The Bug Bounty Program: A Necessary Evil?
Apple’s bug bounty program, which offers cash rewards for responsibly disclosed vulnerabilities, was introduced last year for iOS bugs but has yet to be ported over to macOS.
Wardle argues that this lack of a program creates an environment where security researchers are less likely to report bugs, citing the potential for financial gain from other companies’ programs. "Companies don’t change their approach until they realize it’s broken," he said.
A Familiar Scenario?
This is not the first time Wardle has released details of a serious vulnerability in macOS on launch day. Almost exactly a year ago, he revealed a similar bug at the launch of macOS High Sierra.
What’s Next?
Wardle plans to discuss the technical details of the Mojave bug further at the Objective-by-the-Sea conference in November. Apple will release macOS Mojave later today, and TechCrunch has reached out to the company for comment but has yet to receive a response.
The Implications: A Wake-Up Call?
This new vulnerability raises questions about Apple’s commitment to security and its approach to handling bugs. As Wardle pointed out, companies like Google and Microsoft have acknowledged that vulnerabilities will always exist, but Apple seems to be taking a more ostrich-like approach.
Will this be the wake-up call Apple needs to take security seriously? Only time will tell, but for now, users should be aware of the potential risks associated with this new vulnerability.
