A design flaw recently discovered in Apple’s macOS Mojave could allow malicious applications to steal a victims Safari browsing history.
Mojave is the fifteenth major release of MacOS and the latest. It was released in September 2018, and while it wasn’t groundbreaking in terms of new features, it offered some nice new enhancements and is free to download, as has been typical of MacOS releases in the past several years. However, it appears that there is a design flaw with the new OS when it comes to Safari.
This flaw exists in every version of the Mojave operating system, including the latest update released this month (10.14.3). The flaw was discovered by iOS and Mac developer Jeff Johnson.
In an interview Johnson stated:
On Mojave, certain folders have restricted access that is forbidden by default. For example,
~/Library/Safari. In Terminal app, you can’t even list the contents of that folder:$ ls Library/Safari ls: Safari: Operation not permitted $ sudo ls Library/Safari Password: ls: Safari: Operation not permitted
Mojave provides special access to this folder for only a few apps, such as Finder. However, I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside
~/Library/Safariwithout acquiring any permission from the system or from the user. There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.
Johnson says that a malicious app containing malware could be installed on the system, and the spy on the user’s Safari library, stealing the web browsing history. This would involve the app already being installed on the system, but if the attacker’s know about the flaw they could easily design malware to exploit the flaw.
Your web browsing history contains a treasure trove of data about you, your shopping habits, what banking companies you use, your health concerns, your sexual orientation, your political views, and your entertainment preferences to name a few. This information would be highly valuble for hackers and also for marketing companies.
Many browsers let you see different types of browser history and delete accordingly, however, the Safari browser doesn’t let you distinguish between different data types when you’re clearing your history. This leads to an all or nothing type scenario where users either delete everything, or delete nothing, or take no action which is also deleting nothing.
Johnson has notified Apple of the flaw but says he expects it will take some time for Apple to release a fix for the issue. Until then, users will remain vulnerable to this exploitation and hackers may be gearing up to attack. It is therefore recommended that users delete their browsing history frequently to reduce the impact of any such attack should you be affected. Also, remain vigilant about malware to avoid your Mac becoming infected with any browser history stealing software.