An attempt by Apple to protect your Safari browsing history in macOS Mojave has a security hole which allows full access by a rogue app, says a Mac and iOS developer.
Prior to Mojave, your browsing history was freely available to any app that looked inside ~/Library/Safari. In macOS 10.14, however, Apple locked down access so tightly that you can’t even list the contents in Terminal – in theory …
Mojave provides special access to this folder for only a few apps, such as Finder. However, I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside
~/Library/Safariwithout acquiring any permission from the system or from the user. There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history […]
My bypass works with the “hardened runtime” enabled. Thus, an app with the ability to spy on Safari could be “notarized” by Apple (as long as it passed their automated malware checks, which I suspect would be no problem). My bypass does not work with sandboxed apps, as far as I can tell.
It’s not a huge issue, as sandboxed Mac apps, like those from the Mac App Store, are unable to access folders outside of their containers, so this wouldn’t be exploitable by malicious code in those apps. To be at risk, you’d have to authorize an app downloaded from elsewhere – which is something you should only ever do with a developer you trust.
It also doesn’t make Mojave any less secure than earlier versions of macOS, just potentially no more secure, Johnson told Threatpost.
To use an analogy, what I’ve discovered is a way to bypass a lock. But still, having a locked door is more secure than having a door without a lock. Mojave has a flawed lock. High Sierra and earlier have no lock. On High Sierra there is no privacy protection for folders such as ‘~/Library/Safari’, so the technique I used on Mojave would also work on High Sierra, but that’s not surprising for High Sierra. The surprise is that the technique still works on Mojave.
Johnson says he has passed full details of the Safari browsing history vulnerability to Apple, but expects a fix to take some time.