Last June, Apple introduced a core security feature in MacOS that made it mandatory for all applications to take permission (“allow” or “deny”) from users before accessing sensitive data or components on the system, including the device camera or microphone, location data, messages, and browsing history.
For those unaware, ‘Synthetic Clicks’ are programmatic and invisible mouse clicks that are generated by a software program rather than a human.
MacOS itself has built-in functionality for synthetic clicks, but as an accessibility feature for disabled people to interact with the system interface in non-traditional ways.
So, the feature is only available for Apple-approved apps, preventing malicious apps from abusing these programmatic clicks.
However, security researcher Patrick Wardle, at that time, found a critical flaw in macOS that could have allowed malicious applications installed on a targeted system to virtually “click” security prompt buttons without any user interaction or actual consent.
Though Apple patched that issue after few weeks from the public disclosure, Wardle has once again publicly demonstrated a new way around that could allow apps to perform ‘Synthetic Clicks’ to access users’ private data without their explicit permission.
Wardle told that on Mojave, there is a validation flaw in the way macOS checks the integrity of whitelisted apps. The operating system checks the existence of an app’s digital certificate but fails to validate if the app has been tampered with.
While demonstrating the zero-day vulnerability at Objective By the Sea conference in Monte Carlo, Wardle abused VLC Player, one of the Apple’s approved apps, to include his malware as an unsigned plugin and perform synthetic clicks on a consent prompt programmatically without actually requiring any user’s interaction.
Wardle refers to the new synthetic click vulnerability as a “2nd stage attack,” meaning an attacker would need to have remote access to a victim’s macOS computer already or have installed a malicious application.
Wardle reported his findings to Apple last week and the company confirmed receiving his report, but did not clear when it is planning to patch the issue.