To exploit the vulnerability, attackers need physical access to the computer, as well as installing a malicious application
Network security and ethical hacking specialists from the International Institute of Cyber Security report the emergence of a new vulnerability in a developer API that allows a malicious app installed on the Mojave MacOS to access a protected folder from which an attacker could extract the Safari browsing history data.
The vulnerability affects all known versions of MacOS Mojave and was reported to Apple in recent days by network security specialist Jeff Johnson.
“Some Mojave folders have restricted access”, the expert mentioned. Johnson says that by default, Mojave provides access to this folder only for some system applications, such as Finder. “However, there is a way to dodge these Mojave protections and allow some apps to access these folders without the need for user or system permissions. A malicious application could compromise the user’s privacy by extracting its browsing history”.
The network security expert only mentioned that the vulnerability is an API developer flaw; although he decided not to disclose further details, he claims that the vulnerability has not yet been corrected. The expert added that Apple has already been informed of the situation.
So far, there are no known risk mitigation methods, although the vulnerability is exploitable only by using a malicious application executed in the system. “There is No form of remote exploitation,” the expert mentions.
Although the expert refuses to share more details, he stresses that the vulnerability has nothing to do with a similar exploit revealed last week through Twitter by cybersecurity specialist Bob Rudis.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
