Spying on Safari in Mojave

February 9, 2019

By Jeff Johnson

At the end of this blog post I'll provide an update to yesterday's blog post, but first and more importantly I want to report a new hole that I just found in macOS Mojave's privacy protections. This hole exists in every version of Mojave, including macOS Mojave 10.14.3 Supplemental Update released on February 7.

On Mojave, certain folders have restricted access that is forbidden by default. For example, ~/Library/Safari. In Terminal app, you can't even list the contents of that folder:

$ ls Library/Safari
ls: Safari: Operation not permitted
$ sudo ls Library/Safari
ls: Safari: Operation not permitted

Mojave provides special access to this folder for only a few apps, such as Finder. However, I've discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user. There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user's privacy by examining their web browsing history.

I emailed Apple Product security this morning with a full report of the bug, and I already received an automated acknowledgement of the report.

My bypass works with the "hardened runtime" enabled. Thus, an app with the ability to spy on Safari could be "notarized" by Apple (as long as it passed their automated malware checks, which I suspect would be no problem). My bypass does not work with sandboxed apps, as far as I can tell.

I should note, since I happen to develop the Safari extension StopTheMadness, that this privacy protection bypass has nothing at all to do with Safari extensions. The bypass uses a completely different method. Moreover, StopTheMadness is sandboxed, as required by the Mac App Store. My extension does not and will never spy on you or your browsing history. It's safe, and it's awesome, so please buy it!

I've said this before, and I'll say it again: Don't Panic. Mojave privacy protection is a new feature in macOS 10.14. Any weakness in the privacy protection is simply a flaw in the new feature. You're as safe on Mojave as you were on High Sierra, which did not have this feature at all. You just might not be safer on Mojave than you were on High Sierra.

Update on previous issue

Yesterday I wrote a blog post about how Apple Product Security has failed to credit me for my previous discovery of another hole in Mojave's privacy protections. Later that day, Apple updated their support article online. The article now credits me, but unfortunately it credits me for the wrong bug. Perhaps the update was a rush job in response to my blog post, who knows.

Before February 8, Patrick Wardle had full credit for the Dock bug, which he deserves. My bug involved Automator, not the Dock or Dock tiles. Yesterday I watched Patrick's YouTube video about his exploit for the first time. (I found it amusing that halfway through he mentioned how Mojave grants special camera access to FaceTime. This video was made before the whole Group FaceTime debacle.)

I didn't realize until watching the video that Patrick's exploit only granted access to the address book. It turns out that my exploit was much more powerful, because it could do anything that Automator can do. Which is a lot. Both of those exploits were fixed, though, in macOS 10.14.1. Now we just need to get Apple to sort out the credits. Sorry, Patrick, for stealing yours! I just want my own.