A newly discovered design flaw in recent versions of macOS could allow malicious apps to spy on a user’s Safari browsing history.
The vulnerability was first discovered by app developer Jeff Johnson. In a blog post, Johnson notes that the flaw exists in every version of macOS Mojave — including the most recent 10.14.3 Supplemental Update released on Feb. 7.
Essentially, the design flaw is a hole in macOS Mojave’s privacy protections. Normally, access to certain folders is restricted by Mojave. Johnson uses the example of the ~/ Library/Safari folder, which contains a user’s Safari browsing history, along with their reading lists, remote notifications, template cons, and other data.
These restrictions mean that only certain apps, like Finder, can access the folder. But Johnson notes that he’s discovered a way to bypass those protections in Mojave. The vulnerability could let other apps look inside the Library/Safari folder without prompting any permission requests from the system or user.
“In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history,” Johnson wrote.
Of course, Johnson refrained from disclosing too many details about the design flaw. But he points out that the vulnerability has “nothing at all to do with Safari extensions.” Instead, it uses a different method.
The developer told Threatpost that a user would need to specifically install and run a malicious app for the flaw to be leveraged. But once that app is running, it would be able to exploit it “silently and secretly, without any further permissions.”
While the flaw exists unpatched on every version of Mojave, Johnson points out that users running the software are just as safe as those running previous versions of macOS.
That’s because the privacy protections on folders included in Mojave weren’t present in past macOS versions, such as High Sierra.
“The technique I used on Mojave would also work on High Sierra, but that’s not surprising for High Sierra,” Johnson told Threatpost. “The surprise is that the technique still works on Mojave.”
Johnson notes that he has alerted Apple Product Security with a report containing the full details of the vulnerability. According to him, Apple is aware of the design flaw but may take some time to issue a software update with a patch for it.