Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Hackers Can Bypass macOS Security Features With Synthetic Clicks

Hackers can use synthetic clicks to bypass many of the privacy and security features implemented last year by Apple in its macOS operating system, a researcher has revealed.

Hackers can use synthetic clicks to bypass many of the privacy and security features implemented last year by Apple in its macOS operating system, a researcher has revealed.

Patrick Wardle, co-founder and chief research officer at Digita Security, a company that specializes in security products and services for macOS, has discovered a vulnerability that allows hackers, malware or unauthorized applications to locally bypass some features announced by Apple at its 2018 Worldwide Developers Conference (WWDC).

At the time, Apple revealed that macOS Mojave would alert users every time an application wants to access their camera, microphone, events, contacts, location, photos, backups, Safari data, history, and mail database, or when an app attempts to obtain admin privileges or remotely control processes.

macOS security alert - Credits: Intego

Over the weekend, just as Apple was preparing to kick off the 2019 WWDC, Wardle revealed at his company’s Mac security conference, Objective by the Sea, that a “subtle code-signing issue” in macOS allows any trusted application to be subverted to generate synthetic clicks, which should normally be prevented by the operating system.

Malicious actors can bypass the alerts presented to macOS users when an application wants to access their data or device through a synthetic click on the “OK” button in privacy and security prompts.

Wardle says that while such an attack could raise suspicion from the user given that they might see the action taking place on their screen, an attacker could trigger the exploit when the screen is dimmed (when the display is going to sleep).

It’s worth noting that this is a second stage attack. The attacker needs to have access to the targeted Mac before executing the exploit, but Wardle told SecurityWeek that no special privileges are required to perform an attack.

The attack involves the Transparency Consent and Control (TCC) system, which maintains databases for privacy control settings, including what component each application is allowed to access. The system also includes a compatibility database, stored in a file named AllowApplicationsList.plist, which serves as a whitelist with rules for granting access to protected functions for specific versions of apps with specific signatures.

Advertisement. Scroll to continue reading.

An attacker can pick an application from this whitelist, make malicious modifications to it, and then execute it to generate synthetic clicks. The modifications to the targeted app are not detected by Apple due to a subtle flaw in the code validation checks.

Wardle explained that the attacker can simply download a modified version of the targeted app and run it.

“Basically, the system will always allow synthetic clicks from the whitelisted apps (on the whitelist) — it doesn’t care if the app was installed by the user, or if malware downloaded and ran it, specifically to generate clicks,” the researcher said via email.

For instance, an attacker can target the popular VLC media player and simply add a malicious plugin to the application in order to be able to generate synthetic clicks.

Synthetic click attack

Wardle has identified several vulnerabilities in macOS that allow synthetic clicks, including one disclosed last year at DefCon. Apple has been patching the weaknesses, but Wardle says the patches are often incomplete and he believes “Apple has struggled to prevent synthetic click attacks.”

Wardle told SecurityWeek that he reported his findings to Apple roughly one week ago and the company confirmed receiving his report. However, it’s unclear what action the company plans on taking.

In the meantime, the expert has pointed out that GamePlan, an endpoint protection product designed by Digita Security for enterprise Mac fleets, can detect these types of synthetic clicks.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: macOS Mojave Patches Vulnerabilities, But New Flaws Already Emerge

Related: New Tool Detects Evil Maid Attacks on Mac Laptops

Related: How Antivirus Software Can be the Perfect Spying Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.