Perhaps Apple should be more thorough with its macOS testing

APPLE'S MACOS MOJAVE has made its debut and comes complete with insufficient privacy protections that can be bypassed with ease.

That's according to Beeping Computer, which talked to security researcher Patrick Wardle who discovered that he could access private user data in macOS Mojave through the use of an unprivileged app without administrator permissions.

"I found a trivial, albeit 100 per cent reliable flaw in their implementation," he told Beeping Computer.

Sensitive data like information in the user's address book could be accessed, making the bug a particularly privacy-sapping zero-day flaw. While Wardle couldn't copy said sensitive data from directly accessing it, by using an app that shouldn't have such access permissions, he could copy address book data to the macOS desktop.

But Wardle did note that the bypass he found, which he won't be sharing technical details on until the Mac Security Conference he's organising in Hawaii in November, doesn't work with all of the new privacy protection features Apple slipped into Mojave.

This flaw will likely have Tim Cook's crew rushing to squash the bug, but it's still not a good look for Apple, which worked to add new privacy features into its latest take on macOS.

One such protection is the need for users to give explicit consent to for Mojave to access their data, from location to photos and other private info. The idea was to prevent apps that could simulate consent using APIs and instead add a layer of genuine human interaction to stave off potential data-stealing and privacy-breaching apps.

That being said, some apps can be pre-authorised to have access to sensitive data, though it's yet unclear if that's something Wardle used to bypass the privacy protection feature.

The flaw could be worse, such as the catastrophic bug the allowed High Sierra to be accessed without a legitimate password, which could have led to all manner of cybersecurity chaos if let undiscovered. But it shows the 'just works' boast Apple used to do is not really applicable any more. µ