A bug in a developer API allows malicious apps installed on macOS Mojave to gain access to a normally protected folder from where attackers can extract Safari browsing history data.
The bug affects all known macOS Mojave versions and was discovered last week by Jeff Johnson, the developer of the Underpass Mac and iOS app and the StopTheMadness Safari extension.
“On Mojave, certain folders have restricted access that is forbidden by default,” Johnson explained the vulnerability in a short blog post last week. “For example, ~/Library/Safari. In [the] Terminal app, you can’t even list the contents of that folder.”
Johnson says that by default, Mojave provides access to this folder only for a few selected system apps, such as Finder.
“However, I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user,” the developer said.
“There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.”
Speaking to ZDNet via Twitter, Johnson described the source of the bug only as “a bug in a developer API.” He refused to share any other details on the premise that the issue has yet to be patched and he doesn’t want to put macOS users at risk.
Johnson said he reported the issue to Apple’s security team, who has formally acknowledged his report.