MacOS security defect allows malicious apps to steal Safari browsing history

Mac os security defect

Vulnerability cannot be remotely exploited. Users need to install a malicious app in advance. Last week, operational details were shared privately with Apple’s security team.

A developer API bug allows malicious apps installed on Mojave macOS to access a normally protected folder from which attackers can extract data from the history of Safari browsing.

The bug affects all known macOS versions of Mojave and was discovered last week by Jeff Johnson, the developer of the Underpass Mac and iOS app and the extension StopTheMadness Safari. “Some folders have restricted access on Mojave, which is prohibited by default,” Johnson explained last week in a short blog post.

“For example, ~/Library / Safari”

You can’t even list the contents of this folder in[ the] Terminal app.” Johnson says that Mojave only provides access to this folder for a few selected system applications, such as Finder, by default. “However, I have found a way to bypass these protections in Mojave and allow apps to look inside ~/ Library / Safari without the system’s or user’s permission,” the developer said.

“There are no permission dialogs, it only works. TM In this way, a malware app could secretly violate the privacy of a user by examining the history of their web browsing.” Johnson described the source of the bug only as “a bug in a developer API.”

He refused to share any other details on the assumption that the problem has yet to be patched and he does not want to put macOS users at risk. Johnson said he reported the problem to the security team of Apple, who officially recognized his report. “They said they looked at my report and investigated it,” ZDNet told the developer.

“This is a standard answer. They usually don’t provide updates once you report a problem to them, so I don’t expect more communication from them until they fix it.” But while Johnson refused to share any other details-for now-he pointed out that the bug he discovered is not related to a trick that Rapid7 security researcher Bob Rudis shared online last week, and presumed to be the same as Johnson discovered.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.