Skip to main content

Security researcher finds simple way to bypass Gatekeeper and allow a Mac to run malware

A security researcher has found an extremely simple way to bypass Gatekeeper to allow Macs to open any malicious app, even when it is set to open only apps downloaded from the Mac App Store.

Patrick Wardle, director of research at security firm Synack, told arsTechnica that once Gatekeeper okays an approved app, it pays no more attention to what that app does. The approved app can then open malicious apps – which Gatekeeper doesn’t check.

Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one […] His exploit works by renaming Binary A but otherwise making no other changes to it. [He then] swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants … 

In other words, all someone needs to do is identify the same app Wardle found (or others with the same capability), rename it and then bundle it with a renamed malicious app. A similar method also works with plugins: find an app that loads plugins, substitute your malware for one of those plugins and again Gatekeeper pays no attention.

Wardle is not revealing the name of the app, but suspects that there are others out there.

“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses,” he said. “I’m sure there are other Apple-signed apps out there” that can also be abused to bypass Gatekeeper.

Wardle says that he reported the vulnerability to Apple more than 60 days ago, and Apple confirmed to arsTechnica that it is working on a patch.

Apple made unspecified changes to Gatekeeper a year ago, requiring developers to re-sign and re-upload apps.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. arwynnfcffxiv - 9 years ago

    Whoops huh?

    • iSRS - 9 years ago

      Not really a “Whoops” – Humans create the protections, humans find a way around it. Once this is patched, those that want to will look to find a new way.

      Ironically, what I think this eventually leads to is a “phone home” to the Apple Servers any time an Apple signed app wants to open to validate something.

    • PhilBoogie - 9 years ago

      Indeed¡ And to think all Macs have been vulnerable all this time…and no one has been infected; what are the odds huh?

  2. standardpull - 9 years ago

    The old “trust of untrustworthy apps” problem. Heck, people authorize apps with an admin account all the time. Stupid, but they do it. Some dumb apps require it even.

  3. thisisasticup - 9 years ago

    Now i get to type in my password even more than I already do. Please give us touch id for mac.

    • srgmac - 9 years ago

      Awesome suggestion. They should find a way to integrate it into the trackpad.

  4. ashtraywasp - 9 years ago

    In the past few weeks Zerodium began offering a million dollars to anyone who can compromise iOS. Zerodium then sell it onto governments around the world and, weirdly, Fortune 500 companies. Now, I’m not a hacker, but if I’d discovered a serious hole in iOS and the choice was between handing it over to the richest company in the world *for free* (knowing that it saved them a potential PR disaster worth billions down the road), or selling it to the dark side for a million bucks.. I honestly don’t know what I’d do.

    (There are also other, smaller blackhat bounties, which still stand in sharp contrast to Apple’s zilch.)

    This story makes things so much worse, as it shows that even when people are making the conscious choice to inform Apple, to hand it to the world’s richest company on a plate for free, they haven’t even fixed it over two months later.

    This is probably a big reason why Apple are the only major company to (shamefully) not offer a bug bounty. Apple would be swamped and security researchers would witness at scale how long it’s taking Apple to patch vulnerabilities.

    Apple need to hire a fleet of security researchers and bug fixers. Acquire a company or two. There’s no excuse for this kind of thing happening time and time again by the biggest tech company in the world.

    • tush4r - 9 years ago

      I can totally relate this to an incident that occurred a few months ago.

  5. tush4r - 9 years ago

    Hi 9to5Mac, I just saw the MacKeeper Ad here in between the paragraphs and as per the articles on Internet the software is a malware.

    • Ben Lovejoy - 9 years ago

      Thanks for letting us know – we don’t directly control which ads are shown but can report inappropriate ads to Google.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications