Skip to main content

Security researcher claims macOS Mojave privacy bug on launch day

A security researcher has claimed a new vulnerability in the latest version of macOS — just hours before the software is due to be released.

Patrick Wardle, chief researcher officer at Digita Security, tweeted a video Monday of an apparent privacy feature bypass that’s designed to prevent apps from improperly accessing a user’s personal data.

For years, Macs have forced apps to ask for permission before accessing your contacts and calendar after some iOS apps were caught uploading private data. Apple said at its annual developer conference this year that it would expand the feature to include apps asking for permission to access the camera, microphone, email and backups.

Wardle told TechCrunch that his findings are “not a universal bypass” of the feature, but that the bug could allow a malicious app to grab certain protected data, such as a user’s contacts, when a user is logged in.

The video shows the operating system initially rejecting access to his stored contacts, but later copying his entire address book to the desktop after running an unprivileged script simulating a malicious app.

Wardle isn’t releasing specifics of the bug yet, he said, because he doesn’t want to put users at risk, but dropped the video out of frustration at the company’s lack of bug bounty, which he said disincentives security researchers from reporting bugs to the company.

“Other operating system vendors have acknowledged that any software is going to have vulnerabilities,” but that Apple is “sticking its head in the sand.”

Apple was one of the last major companies to roll out a bug bounty program — giving security researchers money in exchange for responsibly disclosed vulnerabilities. Apple began offering cash bounties of up to $200,000 for the most severe iOS bugs. But the company has neglected to port the program over to macOS, for reasons unknown.

“Unfortunately until there’s a reason for Apple to change its approach to security, it’s not going to,” he said. “Generally, companies don’t change something until they realize it’s broken.”

We reached out to Apple for comment and will update if we hear back.

It’s the second time Wardle released details of a serious vulnerability in macOS on launch day — the most recent case was almost exactly a year ago at the launch of macOS High Sierra.

Wardle is expected to talk more of the technical details of the Mojave bug at the Objective-by-the-Sea conference in November, he said.

Apple will release macOS Mojave later on Monday.



from Apple – TechCrunch https://ift.tt/2OS1kDy

Comments

Popular posts from this blog

Axeleo Capital raises $51 million fund

Axeleo Capital has raised a $51 million fund (€45 million). Axeleo first started with an accelerator focused on enterprise startups. The firm is now all grown up with an acceleration program and a full-fledged VC fund. The accelerator is now called Axeleo Scale , while the fund is called Axeleo Capital . And it’s important to mention both parts of the business as they work hand in hand. Axeleo picks up around 10 startups per year and help them reach the Series A stage. If they’re doing well over the 12 to 18 months of the program, Axeleo funds those startups using its VC fund. Limited partners behind the company’s first fund include Bpifrance through the French Tech Accélération program, the Auvergne-Rhône-Alpes region, Vinci Energies, Crédit Agricole, BNP Paribas, Caisse d’Épargne Rhône-Alpes as well as various business angels and family offices. The firm is also partnering with Hi Inov, the holding company of the Dentressangle family. Axeleo will take care of the early stage in...

Puls raises $50 million for in-home technical support

A fund affiliated with the Singaporean government has a great interest in making sure that American consumers are getting the tech support they need. Temasek, the multi-billion-dollar investment fund associated with the government in Singapore, has led a $50 million round for  Puls Technologies, Inc. , a San Francisco-based company aiming to be the tech support for American homes and offices. Current investors Sequoia Capital, Red Dot Capital Partners, Samsung NEXT and Viola Ventures all participated in the new financing, alongside additional new investors Hanaco Ventures and Hamilton Lane. Founded only three years ago, Puls pitches a service that can match consumers with the appropriate technician in a little over an hour, any day of the week. The company has built a network of 2,500 technicians in the top 50 cities in the United States, and will provide same-day installation and repair of over 200 products. Some things the company’s technicians can service include smartphon...