Share

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

WWDC 2019 isn't the only serious news on the desks of Apple's engineers this morning. 

If exploited properly, a malicious app could fool your MacBook, or any kind of current Mac, into thinking it's you and do whatever it wants. Security researcher Patrick Wardle, chief research officer at Digita Security, revealed a macOS security loophole yesterday (June 2) at a conference in Monaco dubbed Objective by the Sea. 

Unfortunately, Apple has not yet patched this flaw, and Wardle told the company of it only last week. To protect yourself, you need to be very careful of applications you download directly from the internet. It would be better to stick to the official Mac App Store instead.

Ghost clicks

The issue, according to Wardle, is that Apple lets a handful of legacy applications (mostly older versions of current apps such as the popular VLC media player) continue to use "synthetic clicks," a feature that had let applications bypass Apple's latest security obstacles by mimicking an authorized user whose permission is needed to allow certain actions.

According to EclecticLight.co, the list of legacy apps that Apple has whitelisted to be able to use synthetic clicks includes old versions of Steam, VLC, Sonos Mac Controller, and Logitech Manager.

After Wardle and other researchers showed last summer how synthetic clicks could be used to attack Macs, Apple closed the door on the feature with macOS Mojave. But in order to let legacy apps continue to function — Wardle had warned that killing synthetic clicks entirely would "break many legitimate applications" — those older apps got a waiver. 

"This is frustrating as a researcher to continually find ways to bypass Apple's protections," Wardle told Threatpost. "I would be naïve to think that there are no other hackers or sophisticated adversaries that have also found similar holes in Apple's defenses."

Not checking the chambers

Apple does have another safeguard. It permits only applications on an Apple whitelist to use synthetic clicks, whether those apps are legacy or not. The problem is that the verification process is deeply flawed.

MacOS is only verifying the apps by checking their digital signatures, and not by actually checking the code inside of those apps or making sure they don't load extra code after they start running. Yesterday, Wardle proved his concerns valid by injecting a malicious plugin into VLC, one that could perform synthetic clicks — fake user actions — that Apple typically blocks in apps.

Imagine a TSA security agent who only checks your ID and doesn't slide your luggage through the scanning tray. That's the issue here.

"The way they implemented this new security mechanism, it's 100 percent broken," Wardle told Wired. "I can bypass all of these new Mojave privacy measures."

Fooling the user

It's not difficult to fool users into installing applications that have been corrupted and weaponized against the user. A major example of this happened in real life in March of 2016 with the popular BitTorrent client Transmission.

An attacker might not even need to fool anyone. In 2016, Wardle showed how a corrupted update to legitimate software the user had already installed -- in this example, Kaspersky Internet Security for Mac -- could bypass all of Apple's security mechanisms to infect a Mac.

Sloppy security practices

Wardle's latest talk has been reported on by a number of outlets, including The Register. 

How did this happen? Wardle told The Register that "If any security researcher or someone at Apple with a security mindset had audited this code, they would have noticed it. Once you see this bug, it is trivial,"

"They are not auditing the code," he added. "Yhey are implementing these new security features, but the reality is they are often implemented incorrectly."

• Why WWDC Will Usher In a New Era for Apple

This article originally appeared on Laptop Mag.