Security Researcher discovered a vulnerability in macOS Mojave let malware apps bypass the privacy protection and read the safari browser web history.
macOS Mojave has strictly
But the newly uncovered flaw bypass the Mojave privacy protection and allow the malicious app to access the folder without any further permission from the users and system.
In this case, the flow allows attacker to inject the crafted malicious apps to bypass the flaw and read the Safari browsers history.
Jeff said in his report, ” My bypass works with the “hardened runtime” enabled. Thus, an app with the ability to spy on Safari could be “notarized” by Apple (as long as it passed their automated malware checks, which I suspect would be no problem). My bypass does not work with sandboxed apps, as far as I can tell.
Jeff developed the browser extension called StopTheMadness that helps user to provide a smooth browsing experience in Safari, Firefox, and Google Chrome.
He already reports to Apple regarding this flaw and got the automated acknowledgment but Apple doesn’t provide any bug bounty program for macOS flaws as we have seen earlier Zero-day flaw that was reported by Linus Henze.
There is no technical information available for this unpatched flaw since he reported to Apple in this regarding and waiting for the fixes and the bug to be resolved.