Researcher Patrick Wardle has discovered a zero-day flaw in macOS Mojave, which allows attackers to bypass Gatekeeper and run malicious code through whitelisted applications. The problem lies in the way that macOS validates the apps, which the researcher calls “100% broken”. The particular researcher is an experienced specialist on macOS and also an ex-NSA researcher, being the founder of a Mac-related security company 'Objective-See'.
With the latest macOS update, Apple released a number of privacy and security features that were meant to block suspicious activity and ensured that a pop-up would always appear when an action is requested from the system. As the researcher discovered, however, this is not always the case and can be bypassed. As Wardle proved through a presentation in the context of the 'Objective by the Sea' security conference, macOS’ 'synthetic clicks' feature makes it possible for an attacker to activate the camera, microphone, GPS, and even alter the system’s kernel contents permanently. No pop-ups are ever shown to the user, and there’s no indication of the ghost clicks that take place.
While 'synthetic clicks' are supposed to help with Mojave’s accessibility level, they can be abused and Apple is well aware of this. To prevent this risk, they have added an app verification step that asks users to approve the whitelisting of an app before it is granted 'synthetic clicks' rights. However, there are some applications that are excepted from this process, and weirdly, the list includes some of the most commonly used applications that are usually present on macOS computers. These include Steam, Adobe Dreamweaver, and VLC. These apps have access to 'synthetic clicks' by default, without the user ever being asked about it.
Wardle used VLC to demonstrate his proof-of-concept code, manipulating the application's code to turn on the system’s microphone without any warnings displayed on the screen. In the second stage, the researcher demonstrated the ability to install backdoors on the infected system, and then remotely execute whatever he wanted on the victim’s machine, access the files, etc. These actions should cause Mojave to display the confirmation dialog, but thanks to the wrong 'synthetic mouse clicks' implementation, it isn’t.
A week before this demonstration, Apple got notified by the researcher but failed to produce a solution. The researcher says he has given Apple so little time because they ignored him in the past, so he is now trying a different route of putting pressure on them.