A security researcher has found a new way to bypass Apple’s macOS security warnings by performing ‘Synthetic Clicks’ on behalf of users without the need of their interaction.
A core security feature was introduced by Apple in MacOS, last year June which made it mandatory for all applications to take permission (“allow” or “deny”) from users before accessing any sensitive data or components on the system. This includes the device camera or microphone, location data, messages, and browsing history.
Synthetic Clicks are programmatic and invisible mouse clicks that are generated by a software program rather than a human.
MacOS itself has built-in functionality for synthetic clicks as an accessibility feature for disabled people to interact with the system interface.
This feature is only available for Apple-approved apps thereby preventing malicious apps from misusing these programmatic clicks.
The security researcher Patrick Wardle discovered a critical flaw in macOS that let malicious applications installed on a targeted system to virtually “click” security prompt buttons without the consent of the user.
Apple has patched that issue soon after it was public disclosed. The researcher has once again disclosed a new method that lets the apps to perform ‘Synthetic Clicks’ to access users’ private data without their permission.
Wardle reported that on Mojave, there is a validation flaw in the way macOS checks the integrity of whitelisted apps. The operating system checks for an app’s digital certificate but it does not validate whether the app has been tampered with.
Also, the whitelisted apps need not have to be present on the system. The attacker can bring any of the whitelisted apps to the system and run it in the background, to generate clicks.
Wardle stated that VLC Player which is an app approved by Apple has this malware as an unsigned plugin and performs synthetic clicks on a consent prompt programmatically without actually requiring the need of a user.
He refers the new synthetic click vulnerability as a “2nd stage attack.” It means that a hacker would need to have remote access to a victim’s macOS computer already or have installed a malicious application.
Wardle has submitted his findings to Apple last week and it is not sure when the company will issue a patch for the same.