Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

Cue Google's Eric Schmidt

To say, "If that worries you, maybe you're doing something you shouldn't be doing."

Implemented incorrectly

Should only be able to screenshot windows that are owned by the running process, not the entire display screen without being granted a specific permission to access whole display.

Re:Implemented incorrectly

Recent problems notwithstanding, Apple's operating systems have gotten vastly more secure under Tim Cook. Take a look at the scarcity of jailbreaks, for instance, or the inability for nation states to crack iPhone security, or the dedicated hardware functionality. There's a reason iOS vulnerabilities cost far more money on the black market than its competitors.