Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually "click" objects without any user interaction or consent.
To know, how dangerous it can go, Wardle explains: "Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click...allowed. Authorize keychain access? Click...allowed. Load 3rd-party kernel extension? Click...allowed. Authorize outgoing network connection? click ...allowed."
Wardle described his research into "synthetic" interactions with a user interface (UI) as "The Mouse is Mightier than the Sword," showcasing an attack that's capable of 'synthetic clicks'—programmatic and invisible mouse clicks that are generated by a software program rather than a human.
macOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks.
Wardle accidentally discovered that High Sierra incorrectly interprets two consecutive synthetic mouse "down" event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between "allow" or "deny" and access sensitive data or features.
"The user interface is that single point of failure," says Wardle. "If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms."Although Wardle has not yet published technical details of the flaw, he says the vulnerability can potentially be exploited to dump all passwords from the keychain or load malicious kernel extensions by virtually clicking "allow" on the security prompt and gain full control of a target machine.
Wardle said that he found this loophole accidentally when copying and pasting the code and that just two lines of code are enough to completely break this security mechanism.
Unlike earlier findings, Wardle didn't report Apple about his latest research and choose to publicly reveal details of the zero-day bug at DefCon hacker conference.
"Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed," says Wardle.However, the Apple's next version of macOS, Mojave, already has mitigated the threat by blocking all synthetic events, which eventually reduces the scope of accessibility features on applications that legitimately use this feature.