A security researcher with a history of finding bugs in Apple products discovered a zero-day vulnerability that can bypass Apple’s security protections with “synthetic clicks.”
Security researcher Patrick Wardle demonstrated the bug, at the Object by the Sea security conference in Monaco, which affects macOS Mojave and takes advantage of ‘synthetic events’, a macOS automation feature intended to improve accessibility and enable applications to automate inputs such as mouse clicks and keystrokes.
“The system attempts to verify/validate that these allowed whitelisted apps haven’t been subverted – but their check is flawed, meaning, an attacker can subvert any of these, and add/inject code to perform arbitrary synthetic clicks – for example, to interact with security/privacy alerts in Mojave to access user’s location, the microphone, webcam, photos, SMS/call records,” Wardle told Hacker News:
Wardle demonstrated how malware could virtually ‘click’ the built-in security prompt for new applications without any user interaction. Apple has yet to respond to comment on this issue.