macOS zero-day in Mojave could allow Synthetic Clicks attacks

Pierluigi Paganini June 04, 2019

A security expert found a flaw could be exploited to bypass macOS security and privacy features by using synthetic clicks.

The popular white hat hacker Patrick Wardle, co-founder and chief research officer at Digita Security, discovered a vulnerability that could be exploited to bypass security warnings by performing ‘Synthetic Clicks’ on behalf of users without requiring their interaction.

In June, Apple introduced a core security feature in MacOS that force applications into taking permission from users before accessing sensitive data or components on the system (i.e. device camera, microphone, location data, photos, messages, and browsing history).

Wardle disclosed the issue over the weekend during the meeting arranged by his company.

Wardle explained that a “subtle code-signing issue” in macOS could allow the hack of any trusted application to generate synthetic clicks, bypassing the core security feature introduced in 2018. Malware developers and hackers might use synthetic mouse-click attacks to emulate human behavior in approving security warnings.

The attack could be triggered by an attacker with local access to the device when the screen is dimmed, this means that it could be very difficult to spot.

According to Wardle, no special privileges are required to carry out the attack.

The attack ties the Transparency Consent and Control (TCC) system, which maintains databases for privacy control settings. The system also includes a compatibility database, stored in the AllowApplicationsList.plist. This database is used to manage access to protected functions for specific versions of apps with specific signatures, it works as a sort of whitelist.

Wardle explained that an attacker can modify one of the applications in the whitelist and execute it to generate synthetic clicks. An attacker can download a modified version of the targeted app and run it. Apple is not able to detect the changes to the targeted app due to a flaw in code validation checks.

 synthetic clicks

Wardle discovered several issued in macOS that could be exploited to allow synthetic clicks, he publicly disclosed one in September 2018 and another one at DefCon 2018.

The security updates released by Apple over the time failed in completely addressing the issue allowing the expert to launch synthetic click attacks. Wardle reported his discovery to Apple a few days ago that acknowledged the problem and likely is already working to address it.

Waiting for a fix, macOS users could install the GamePlan, the endpoint protection product designed by Digita Security, that prevents synthetic clicks.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Apple, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment