Unpatched Apple macOS Hole Exposes Safari Browsing History

A design flaw in Apple’s macOS could allow a malicious application to steal victims’ Safari web browsing history.

The security hole exists in every version of the Mac’s Mojave operating system, including macOS Mojave 10.14.3 Supplemental Update recently released on Feb. 7. That’s according to Mac and iOS developer Jeff Johnson, who disclosed the bug over the weekend.

The issue specifically exists in the fact that there are no permission dialogues for apps in certain folders. While enforcing permissions would mean that these folders could only be accessed by certain apps, the alternative (no permissions required) in the case of ~/Library/Safari means that apps are allowed to look inside it.

And inside the folder is a user’s entire web browsing history (as well as reading list archives, remote notifications, template icons and more).

“I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user,” said Johnson in a Feb. 8 post, titled Spying on Safari in Mojave. “There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.”

Johnson said that once a malicious app laced with malware has been installed on the system, it could then access the Safari library and steal the web browsing history.

“A user would have to install and run a maliciously crafted app on their Mac in order for the flaw to be exploited” he told Threatpost. “This is all that’s required, though. Once a malware app is running, it would be able to exploit the flaw silently and secretly, without any further permissions.”

> New blog post “Spying on Safari in Mojave”
>
> In which I report a newly discovered hole in macOS Mojave privacy protections.<https://t.co/86HyJXlC0C&gt;
>
> — Jeff Johnson (@lapcatsoftware) February 9, 2019

While only MacOS Mojave is impacted, it’s important to note that macOS High Sierra and earlier had no privacy protections whatsoever,” Johnson stressed in an email to Threatpost.

“To use an analogy, what I’ve discovered is a way to bypass a lock,” he told Threatpost. “But still, having a locked door is more secure than having a door without a lock. Mojave has a flawed lock. High Sierra and earlier have no lock. On High Sierra there is no privacy protection for folders such as ‘~/Library/Safari’, so the technique I used on Mojave would also work on High Sierra, but that’s not surprising for High Sierra. The surprise is that the technique still works on Mojave.”

Johnson said that he notified Apple and privately released the technical details to the computing giant. Apple has acknowledged the vulnerability, but Johnson told Threatpost he expects it will take them some time to release an update with a fix. At the time of this writing, there is no patch/remediation available.

Apple has faced a slew of security issues lately – the company last week patched a major flaw in its Group FaceTime feature that allowed callers to eavesdrop on people they called even if the other party never picked up. Also last week, a researcher claimed to have found a new Apple zero-day impacting macOS that could allow an attacker to extract passwords from a targeted Mac’s keychain password management system.

Threatpost reached out to Apple for comment and will update this post with any response.

Interested in learning about mobile enterprise security threats and best practices? Don’t miss our freeThreatpost webinar** on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner;**Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.