igor - Fotolia
The flaw was discovered by security researcher and Digita Security co-founder Patrick Wardle, who raised the alarm in a tweet with a video demonstrating how he exploited the flaw to access a user’s address book and indicating his intention to notify Apple.
Ironically, the vulnerability is in new privacy protections implemented in Mojave that require users to give permission to access address books, location data, message archives, photos, reminders and other private data to block authorised access by third-party apps.
In the video, Wardle shows he was able to bypass the permission requirement by running a program called “breakMojave” to locate a user’s address book and copy it to the desktop.
Wardle, who has worked at Nasa and the US National Security Agency, told Bleeping Computer that he was able to access the confidential user contacts using an unprivileged app, which meant it did not run with administrator permissions.
“I found a trivial, albeit 100% reliable, flaw in their implementation,” he said, but admitted that the bypass he found does not work with all of Mojave’s new privacy protection features and that the bypass does not affect hardware-based components such as webcams.
Wardle has shared the technical details of his bypass with Apple and plans to make them public at a Mac Security conference in Hawaii in November.
Apple is expected to fix the vulnerability in the first security update for Mojave, but until then, the flaw may be discovered and exploited by attackers.
Mojave users are advised to be cautious about what apps they run until a patch is released and implemented.