MacOS 0-Day Flaw exploits 'Synthetic Clicks'

News by Robert Abel

The bug takes advantage of 'synthetic events', a macOS automation feature intended to improve accessibility and enable applications to automate inputs

A security researcher with a history of finding bugs in Apple products discovered a zero-day vulnerability that can bypass Apple’s security protections with "synthetic clicks".

Security researcher Patrick Wardle demonstrated the bug, at the Object by the Sea security conference in Monaco, which affects macOS Mojave and takes advantage of ‘synthetic events’, a macOS automation feature intended to improve accessibility and enable applications to automate inputs such as mouse clicks and keystrokes.

"The system attempts to verify/validate that these allowed whitelisted apps haven’t been subverted – but their check is flawed, meaning, an attacker can subvert any of these, and add/inject code to perform arbitrary synthetic clicks – for example, to interact with security/privacy alerts in Mojave to access user’s location, the microphone, webcam, photos, SMS/call records," Wardle told Hacker News:

Wardle demonstrated how malware could virtually ‘click’ the built-in security prompt for new applications without any user interaction. Apple has yet to respond to comment on this issue.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop