Another hole in Mojave privacy protection

September 26, 2018

By Jeff Johnson

On Monday, Apple released macOS 10.14 Mojave. One of the new features is supposed to be enhanced privacy protection for Mac users. However, holes that would allow malware to bypass this privacy protection have already been discovered by Patrick Wardle and SentinelOne. I've discovered a third. I emailed all of the details of my discovery to Apple product security on Monday evening. I'm publicly disclosing that I've found a privacy protection bypass, but I won't publicly disclose the details of that bypass now. I will disclose them at some point in the future, though I currently have no timeline for that. We'll see what Apple does. In the meantime, I'll offer a few points of clarification:

  1. Don't panic. I've discovered a weakness in a new privacy feature. I haven't discovered a preexisting vulnerability. You're as safe on Mojave as you were on High Sierra. You're just not safer on Mojave than you were on High Sierra.
  2. I used a different attack vector than SentinelOne (ssh) and Wardle. I don't know what Patrick's attack vector is, but I did ask him if he used mine, and he said no. So there are at least 3 different privacy protection bypasses in Mojave. I suspect that there are even more.
  3. My bypass has been independently verified.
  4. I discovered the bypass within an hour or two of hacking on Mojave on Monday. I was inspired to look after I saw Patrick post his video. As soon as I saw that a bypass was possible, I started to develop theories about how it was done. I was wrong about how Patrick did it, but I found something anyway.
  5. I'm not a security vulnerability researcher, just an app developer. (Please buy my apps StopTheMadness and Underpass!) If I can find a bypass, then malware authors certainly can too.

Biographical note: I have a CVE to my credit and have found a few other privacy and security issues.