Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Hackers Can Bypass macOS Security Features With Synthetic Clicks

Hackers can use synthetic clicks to bypass many of the privacy and security features implemented last year by Apple in its macOS operating system, a researcher has revealed.

Hackers can use synthetic clicks to bypass many of the privacy and security features implemented last year by Apple in its macOS operating system, a researcher has revealed.

Patrick Wardle, co-founder and chief research officer at Digita Security, a company that specializes in security products and services for macOS, has discovered a vulnerability that allows hackers, malware or unauthorized applications to locally bypass some features announced by Apple at its 2018 Worldwide Developers Conference (WWDC).

At the time, Apple revealed that macOS Mojave would alert users every time an application wants to access their camera, microphone, events, contacts, location, photos, backups, Safari data, history, and mail database, or when an app attempts to obtain admin privileges or remotely control processes.

macOS security alert - Credits: Intego

Over the weekend, just as Apple was preparing to kick off the 2019 WWDC, Wardle revealed at his company’s Mac security conference, Objective by the Sea, that a “subtle code-signing issue” in macOS allows any trusted application to be subverted to generate synthetic clicks, which should normally be prevented by the operating system.

Malicious actors can bypass the alerts presented to macOS users when an application wants to access their data or device through a synthetic click on the “OK” button in privacy and security prompts.

Wardle says that while such an attack could raise suspicion from the user given that they might see the action taking place on their screen, an attacker could trigger the exploit when the screen is dimmed (when the display is going to sleep).

It’s worth noting that this is a second stage attack. The attacker needs to have access to the targeted Mac before executing the exploit, but Wardle told SecurityWeek that no special privileges are required to perform an attack.

The attack involves the Transparency Consent and Control (TCC) system, which maintains databases for privacy control settings, including what component each application is allowed to access. The system also includes a compatibility database, stored in a file named AllowApplicationsList.plist, which serves as a whitelist with rules for granting access to protected functions for specific versions of apps with specific signatures.

An attacker can pick an application from this whitelist, make malicious modifications to it, and then execute it to generate synthetic clicks. The modifications to the targeted app are not detected by Apple due to a subtle flaw in the code validation checks.

Wardle explained that the attacker can simply download a modified version of the targeted app and run it.

“Basically, the system will always allow synthetic clicks from the whitelisted apps (on the whitelist) — it doesn’t care if the app was installed by the user, or if malware downloaded and ran it, specifically to generate clicks,” the researcher said via email.

For instance, an attacker can target the popular VLC media player and simply add a malicious plugin to the application in order to be able to generate synthetic clicks.

Synthetic click attack

Wardle has identified several vulnerabilities in macOS that allow synthetic clicks, including one disclosed last year at DefCon. Apple has been patching the weaknesses, but Wardle says the patches are often incomplete and he believes “Apple has struggled to prevent synthetic click attacks.”

Wardle told SecurityWeek that he reported his findings to Apple roughly one week ago and the company confirmed receiving his report. However, it’s unclear what action the company plans on taking.

In the meantime, the expert has pointed out that GamePlan, an endpoint protection product designed by Digita Security for enterprise Mac fleets, can detect these types of synthetic clicks.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: macOS Mojave Patches Vulnerabilities, But New Flaws Already Emerge

Related: New Tool Detects Evil Maid Attacks on Mac Laptops

Related: How Antivirus Software Can be the Perfect Spying Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.