A security researcher who last year bypassed Apple‘s then-newly introduced macOS privacy feature has once again found a new way to bypass security warnings by performing ‘Synthetic Clicks’ on behalf of users without requiring their interaction.
Last June, Apple introduced a core security feature in MacOS that made it mandatory for all applications to take permission (“allow” or “deny”) from users before accessing sensitive data or components on the system, including the device camera or microphone, location data, messages, and browsing history.
For those unaware, ‘Synthetic Clicks’ are programmatic and invisible mouse clicks that are generated by a software program rather than a human.
MacOS itself has built-in functionality for synthetic clicks, but as an accessibility feature for disabled people to interact with the system interface in non-traditional ways.
However, security researcher Patrick Wardle, at that time, found a critical flaw in macOS that could have allowed malicious applications installed on a targeted system to virtually “click” security prompt buttons without any user interaction or actual consent.
Though Apple patched that issue after few weeks from the public disclosure, Wardle has once again publicly demonstrated a new way around that could allow apps to perform ‘Synthetic Clicks‘ to access users’ private data without their explicit permission.
So, the feature is only available for Apple-approved apps, preventing malicious apps from abusing these programmatic clicks.
However, Wardle told The Hacker News that on Mojave, there is a validation flaw in the way macOS checks the integrity of white-listed apps. The operating system checks the existence of an app’s digital certificate but fails to validate if the app has been tampered with.
“System attempts to verify/validate at these allowed white-listed apps haven’t been subverted—but their check is flawed, meaning, an attacker can subvert any of these, and add/inject code to perform arbitrary synthetic clicks—for example to interact with security/privacy alerts in Mojave to access user’s location, the microphone, webcam, photos, SMS/call records,” Wardle told The Hacker News.
Moreover, “those [whitelisted] apps don’t have to be present on the system. The attacker could bring one of the white-listed apps to the system (perhaps pre-subverted) and run it in the background, to generate clicks.”
While demonstrating the zero-day vulnerability at Objective By the Sea conference in Monte Carlo, Wardle abused VLC Player, one of the Apple’s approved apps, to include his malware as an unsigned plugin and perform synthetic clicks on a consent prompt programmatically without actually requiring any user’s interaction.
Wardle refers to the new synthetic click vulnerability as a “2nd stage attack,” meaning an attacker would need to have remote access to a victim’s macOS computer already or have installed a malicious application.
Wardle reported his findings to Apple last week and the company confirmed receiving his report, but did not clear when it is planning to patch the issue.