Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing (bleepingcomputer.com)

Posted by msmash on Sunday February 11, 2018 @04:41AM from the security-woes dept.

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

59 comments

Min score:

Reason:

Sort:

Good thing I've moved my porn to Oculus Rift by SensitiveMale · 2018-02-11 04:48 · Score: 0

from my mac.
1. Re:Good thing I've moved my porn to Oculus Rift by Anonymous Coward · 2018-02-11 04:53 · Score: 0
  
  the thing with fapping in vr is, how do u know ur wife or roommate or whatever isn't standing next to you? i'd be too paranoid
2. Re:Good thing I've moved my porn to Oculus Rift by Anonymous Coward · 2018-02-11 05:09 · Score: 0
  
  You could fuck your wife instead, even better than VR!
  Or lock your roommmate out - that's something you might want to do anyway if they are susceptible to walk in when you are fapping, VR or not!
3. Re:Good thing I've moved my porn to Oculus Rift by Anonymous Coward · 2018-02-11 05:14 · Score: 0
  
  I guess you haven't seen his wife.
4. Re:Good thing I've moved my porn to Oculus Rift by Megol · 2018-02-11 05:45 · Score: 0
  
  Of course he have - it's his mother!
5. Re: Good thing I've moved my porn to Oculus Rift by Anonymous Coward · 2018-02-11 06:13 · Score: 0
  
  Stupid ugly bitches standing next to me?
  Fap
6. Re:Good thing I've moved my porn to Oculus Rift by Anonymous Coward · 2018-02-11 11:50 · Score: 0
  
  You could fuck your wife instead
  Christ, then I'd have to talk to her. I don't really need sex that badly.
7. Re:Good thing I've moved my porn to Oculus Rift by Anonymous Coward · 2018-02-11 12:16 · Score: 0
  
  >> You could fuck your wife instead
  > Christ, then I'd have to talk to her. I don't really need sex that badly.
  Shove your cock in her mouth to shut her up. That's what I do!
Cue Google's Eric Schmidt by Anonymous Coward · 2018-02-11 04:53 · Score: 1, Insightful

To say, "If that worries you, maybe you're doing something you shouldn't be doing."
1. Re:Cue Google's Eric Schmidt by Anonymous Coward · 2018-02-11 05:41 · Score: 0
  
  Like online banking, shopping and trading.
2. Re: Cue Google's Eric Schmidt by Anonymous Coward · 2018-02-11 07:04 · Score: 0
  
  Yeah, like Uber abusing the hell out of their i device app. :)
3. Re:Cue Google's Eric Schmidt by Xtifr · 2018-02-11 07:39 · Score: 1
  
  Like online banking, shopping and trading.
  To be fair, there are some strong arguments against those. Although I tend to doubt that Google or Apple really endorses those arguments. :D
4. Re:Cue Google's Eric Schmidt by tepples · 2018-02-11 09:16 · Score: 1
  
  Would you prefer to do shopping, banking, and trading through the Postal Service instead of online? Or what third option am I missing other than online and through mail for products and services not offered within reasonable cycling distance of your home?
5. Re: Cue Google's Eric Schmidt by slazzy · 2018-02-11 09:17 · Score: 1
  
  I perfer to use my walled garden ipad for banking.
  
  --
  Website Just Down For Me? Find out
6. Re:Cue Google's Eric Schmidt by Anonymous Coward · 2018-02-12 01:29 · Score: 0
  
  yeah I created my bitcoin paper printed wallet while someone was screen grabbing it...
Implemented incorrectly by Anonymous Coward · 2018-02-11 04:58 · Score: 4, Insightful

Should only be able to screenshot windows that are owned by the running process, not the entire display screen without being granted a specific permission to access whole display.
1. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 05:07 · Score: 3, Interesting
  
  This is Tim Cook's Apple we're talking about here. The guy allowed a release of an OS where one could log in with a blank root password. Yeah, I know, he's a "supply chain genius" which is why the iPhone X wasn't available for three months after it was announced and the fucking homepod just shipped two months late.
2. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 05:47 · Score: 2, Insightful
  
  Recent problems notwithstanding, Apple's operating systems have gotten vastly more secure under Tim Cook. Take a look at the scarcity of jailbreaks, for instance, or the inability for nation states to crack iPhone security, or the dedicated hardware functionality. There's a reason iOS vulnerabilities cost far more money on the black market than its competitors.
3. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 05:48 · Score: 0
  
  It is probably a bug, or an API that was forgotten. I tried implementing taking screenshots while sandboxed and I always got permission denied from the functional call one should be using for this.
4. Re:Implemented incorrectly by Wrath0fb0b · 2018-02-11 06:00 · Score: 1
  
  Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.
  How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?
5. Re: Implemented incorrectly by Anonymous Coward · 2018-02-11 06:09 · Score: 1
  
  Easy... Display a dialog box asking if the user authorizes the operation. This should be a seldomly used operation, so it's not going to be invasive. If you see a dialog ever few seconds, you can at least know something shady is happening.
6. Re: Implemented incorrectly by Anonymous Coward · 2018-02-11 06:17 · Score: 0, Funny
  
  Wrong, iPhone and iOS are so fucking ugly these days, nobody wants to waste their time jailbreaking.
7. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 06:49 · Score: 0
  
  Yeah because Tim cook is the person at Apple who personally checks for shit like this... /s
8. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 07:55 · Score: 0
  
  Wrong, The reason ios vulnerabilities cost far more money on the black market is because apple to too cheap to pay for them themselves. But at least apple still isn't trying to throw people that find vulnerabilities in jail. At least i hope they arent.
9. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 08:19 · Score: 0
  
  Hi yeah I work on the Apple password security and login verification quality assurance team, and I can confirm for you that our CEO Tim Cook is also a part-time QA staff member. I personally saw him button-mashing the login screen the other day before he signed off on the operating system upgrade release.
10. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 09:41 · Score: 0
  
  The CEO is responsible for everything in the company. If a QA team is getting stacked with lazy hindus, he needs to step in and make sure it's fixed. If the head of QA got poached by Tesla for some reason, he needs to make sure the replacement is up to the job. His direct reports need to be telling him this stuff. QA team is 90% hindus with fake diplomas, Tim. Do you want me to enforce some diversity or what? You decide, meeting's over, gotta meet with the VP of Emoji Development!
11. Re:Implemented incorrectly by Gr8Apes · 2018-02-11 14:07 · Score: 1
  
  Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.
  How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?
  You have obviously never programmed in MS land. The contract is built upon sand.
  
  --
  The cesspool just got a check and balance.
12. Re:Implemented incorrectly by gravewax · 2018-02-11 16:43 · Score: 1
  
  A CEO is responsible for the actions of his staff (within reason), he has to set the standards, policy and culture for his directs to follow and down the chain. CEO's are paid their obscene salaries as they are expected to be personally responsible and direct the company in all aspects. The idea that a blank password for a root account can happen is a direct failing of security education for staff or enforcement of security reviews which ultimately is his responsibility and I am sure if you asked him he would also say he is accountable for that failing and will have directed his reports to review and rectify the situation.
13. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 16:48 · Score: 0
  
  You have obviously never programmed in MS land. The contract is built upon sand.
  I actually have developed in the MS land (as well as Linux) for the last 20 years. The MS Land you speak of is actually the best for maintaining compatibility, sometimes to the point of pain where to avoid some fringe cases of breaking compatibility they will create a new version of the API instead. So I would say your comment tells me you have obviously never programmed in the MS Land.
14. Re:Implemented incorrectly by Gr8Apes · 2018-02-12 04:22 · Score: 1
  
  You have obviously never programmed in MS land. The contract is built upon sand.
  I actually have developed in the MS land (as well as Linux) for the last 20 years. The MS Land you speak of is actually the best for maintaining compatibility, sometimes to the point of pain where to avoid some fringe cases of breaking compatibility they will create a new version of the API instead. So I would say your comment tells me you have obviously never programmed in the MS Land.
  Yeah, right. Take a look at the security token manipulation routines for threads and processes (oh wait, they've all been quietly broken) Backwards compatibility be damned.
  
  --
  The cesspool just got a check and balance.
Only criminals want privacy by Anonymous Coward · 2018-02-11 05:08 · Score: 0

If you have nothing to hide, you have nothing to fear... except fear itself.
If you don't believe me, just ask Mr. Trump.
1. Re: Only criminals want privacy by Anonymous Coward · 2018-02-11 06:45 · Score: 0
  
  Wow. That's deep. Deep as a petri dish.
2. Re: Only criminals want privacy by Anonymous Coward · 2018-02-11 13:52 · Score: 0
  
  No man, I'm deeper than the crack in yo mama's big fat ass! And believe me, it ain't turtles in here! Phew! Oh Lordy!!
Is this news? by thecombatwombat · 2018-02-11 05:17 · Score: 1

I mean isn't this true of every unsandboxed PC (or Mac) app ever?
Does the sandbox promise to change this?
1. Re:Is this news? by QuietLagoon · 2018-02-11 05:19 · Score: 3, Informative
  
  ...Does the sandbox promise to change this?...
  Yes. A sandbox is a sandbox. You play inside your sandbox and are unable to affect or access things outside your sandbox that you should not access. It seems that, at some point, Apple forgot to restrict access to this API for sandboxed apps.
2. Re:Is this news? by AvitarX · 2018-02-11 05:27 · Score: 1
  
  Yes, the entire point of a sandbox is it can't get data from other apps.
  Or at least without specific warnings that it's doing something outside of just being a self contained app.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
3. Re:Is this news? by TheFakeTimCook · 2018-02-11 06:27 · Score: 2
  
  Yes, the entire point of a sandbox is it can't get data from other apps.
  Or at least without specific warnings that it's doing something outside of just being a self contained app.
  I wonder if any other security-conscious OSes have this security-hole? Looks like a pretty easy one to miss.
4. Re:Is this news? by Anonymous Coward · 2018-02-11 07:59 · Score: 0
  
  Are you trying to be funny? imacos is not a security-conscious OS in the least. But its cute of you to slyly suggest it is.
5. Re:Is this news? by Anonymous Coward · 2018-02-11 08:12 · Score: 0
  
  OSX / macOS is at least as security conscious as the other two main alternatives (Windows/Linux).
6. Re:Is this news? by Anonymous Coward · 2018-02-11 09:41 · Score: 0
  
  No it isn't. Apple have a history of choosing user convenience over security repeatedly over the years. Security on a Mac is a second class citizen.
7. Re:Is this news? by Anonymous Coward · 2018-02-11 11:25 · Score: 0
  
  Yes, the entire point of a sandbox is it can't get data from other apps.
  Or at least without specific warnings that it's doing something outside of just being a self contained app.
  I wonder if any other security-conscious OSes have this security-hole? Looks like a pretty easy one to miss.
  Slashdot's resident Apple shill quick to attempt to deflect attention away from Apple and onto others. Frankly I don't give a fuck about whether you can do this on Windows for example because I don't use it for anything but gaming.
  This isn't some moronic my preferred computer operating system Vs your preferred computer operating system battle like you seem to think it is, whether or not other operating systems do this or not is wholly irrelevant to the fact that Apple does it and it's wrong and it's a security vulnerability. But this sad corporate devotion some people seem to have leads them down this path of comparing to others every time their brand of choice fucks up.
8. Re:Is this news? by Anonymous Coward · 2018-02-11 11:31 · Score: 0
  
  ...Does the sandbox promise to change this?...
  ... things outside your sandbox that you should not access. ...
  If you define a sandbox as containing things that should be inside a sandbox, and non that shouldn't, then this is inside the sandbox... and we only have your word it shouldn't.
9. Re:Is this news? by Anonymous Coward · 2018-02-11 13:12 · Score: 0
  
  Exactly this.
10. Re:Is this news? by gravewax · 2018-02-11 13:42 · Score: 1
  
  is that honestly a serious comment? you think they intentionally allowed an app to record information of other apps while running in a sandbox? So basically you are saying apple did this on purpose and rather than an oversight it was a malicious action on their part to allow covert data exfiltration and spying?
11. Re:Is this news? by omfglearntoplay · 2018-02-12 03:39 · Score: 1
  
  If it says sandbox, it needs to be sandbox. They better fix this.
Are people not aware... by Anonymous Coward · 2018-02-11 05:17 · Score: 0

...that running software on your computer, means you are letting software control your computer? Screenshots and all.
1. Re:Are people not aware... by Anonymous Coward · 2018-02-11 06:35 · Score: 0
  
  Which part of "sandbox" do you not understand?
2. Re:Are people not aware... by Aighearach · 2018-02-11 09:54 · Score: 1
  
  No. No they are not aware.
  Any other questions?
Its a re-run, a late-late-show, ... by loslosbaby · 2018-02-11 07:58 · Score: 2

There is a saying: "You can program Fortran in any language"... and it applies here: "You can X Windows in any OS".
Screencast by tepples · 2018-02-11 09:18 · Score: 1

This should be a seldomly used operation, so it's not going to be invasive.
Taking 30 screenshots per second when preparing a tutorial video for some application might be more invasive.
1. Re:Screencast by Anonymous Coward · 2018-02-11 11:10 · Score: 0
  
  Ask the user if the application can capture video, duh. You could even have the webcam light flashing like a record button.
  Maybe try being a little less problem-focussed and more solution-focussed.
2. Re:Screencast by AC-x · 2018-02-11 17:12 · Score: 1
  
  Taking 30 screenshots per second when preparing a tutorial video for some application might be more invasive.
  Do you want to grant this application access to your screen content?
  [ Yes ] [ No ] [X] Remember this answer
  Gee that was hard to fix wasn't it?
3. Re:Screencast by tepples · 2018-02-11 17:20 · Score: 1
  
  It's hard if the platform curator gates the ability to "[X] Remember this answer" behind some sort of review process that individual developers are unlikely to pass.
4. Re: Screencast by AC-x · 2018-02-11 18:23 · Score: 1
  
  And who said anything about doing that?
Sandbox API vs. sandbox-exec by mattr · 2018-02-11 16:15 · Score: 1

Does anyone have info about how to easily run in a sandbox mac apps that are not from the app store and don't use the sandbox api? I only found the below article from 3 years ago, and had trouble getting it to work in the past. I just want to run an app in a jail and maybe as a less privileged user. I am not talk8ng about apps that voluntarily implement the api so that they are allowed in the app store. Otherwise I'm very uncomfortable about installing a dmg from some website even if it is a known vendor. It seems to be a major problem that it is so difficult for ordinary users to use a sandbox to jail apps.
https://paolozaino.wordpress.c...
Screensharing software (webex, g2m, etc) by Anonymous Coward · 2018-02-12 00:22 · Score: 0

A ton of screensharing software obviously needs to capture the whole screen for e-meetings, but! basically every one of these is NOT distributed through the sandbox, they're direct downloads from the web when you start or join a meeting for the first time.