Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing (bleepingcomputer.com)

Posted by msmash on Sunday February 11, 2018 @04:41AM from the security-woes dept.

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

25 of 59 comments (clear)

Min score:

Reason:

Sort:

Cue Google's Eric Schmidt by Anonymous Coward · 2018-02-11 04:53 · Score: 1, Insightful

To say, "If that worries you, maybe you're doing something you shouldn't be doing."
1. Re:Cue Google's Eric Schmidt by Xtifr · 2018-02-11 07:39 · Score: 1
  
  Like online banking, shopping and trading.
  To be fair, there are some strong arguments against those. Although I tend to doubt that Google or Apple really endorses those arguments. :D
2. Re:Cue Google's Eric Schmidt by tepples · 2018-02-11 09:16 · Score: 1
  
  Would you prefer to do shopping, banking, and trading through the Postal Service instead of online? Or what third option am I missing other than online and through mail for products and services not offered within reasonable cycling distance of your home?
3. Re: Cue Google's Eric Schmidt by slazzy · 2018-02-11 09:17 · Score: 1
  
  I perfer to use my walled garden ipad for banking.
  
  --
  Website Just Down For Me? Find out
Implemented incorrectly by Anonymous Coward · 2018-02-11 04:58 · Score: 4, Insightful

Should only be able to screenshot windows that are owned by the running process, not the entire display screen without being granted a specific permission to access whole display.
1. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 05:07 · Score: 3, Interesting
  
  This is Tim Cook's Apple we're talking about here. The guy allowed a release of an OS where one could log in with a blank root password. Yeah, I know, he's a "supply chain genius" which is why the iPhone X wasn't available for three months after it was announced and the fucking homepod just shipped two months late.
2. Re:Implemented incorrectly by Anonymous Coward · 2018-02-11 05:47 · Score: 2, Insightful
  
  Recent problems notwithstanding, Apple's operating systems have gotten vastly more secure under Tim Cook. Take a look at the scarcity of jailbreaks, for instance, or the inability for nation states to crack iPhone security, or the dedicated hardware functionality. There's a reason iOS vulnerabilities cost far more money on the black market than its competitors.
3. Re:Implemented incorrectly by Wrath0fb0b · 2018-02-11 06:00 · Score: 1
  
  Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.
  How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?
4. Re: Implemented incorrectly by Anonymous Coward · 2018-02-11 06:09 · Score: 1
  
  Easy... Display a dialog box asking if the user authorizes the operation. This should be a seldomly used operation, so it's not going to be invasive. If you see a dialog ever few seconds, you can at least know something shady is happening.
5. Re:Implemented incorrectly by Gr8Apes · 2018-02-11 14:07 · Score: 1
  
  Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.
  How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?
  You have obviously never programmed in MS land. The contract is built upon sand.
  
  --
  The cesspool just got a check and balance.
6. Re:Implemented incorrectly by gravewax · 2018-02-11 16:43 · Score: 1
  
  A CEO is responsible for the actions of his staff (within reason), he has to set the standards, policy and culture for his directs to follow and down the chain. CEO's are paid their obscene salaries as they are expected to be personally responsible and direct the company in all aspects. The idea that a blank password for a root account can happen is a direct failing of security education for staff or enforcement of security reviews which ultimately is his responsibility and I am sure if you asked him he would also say he is accountable for that failing and will have directed his reports to review and rectify the situation.
7. Re:Implemented incorrectly by Gr8Apes · 2018-02-12 04:22 · Score: 1
  
  You have obviously never programmed in MS land. The contract is built upon sand.
  I actually have developed in the MS land (as well as Linux) for the last 20 years. The MS Land you speak of is actually the best for maintaining compatibility, sometimes to the point of pain where to avoid some fringe cases of breaking compatibility they will create a new version of the API instead. So I would say your comment tells me you have obviously never programmed in the MS Land.
  Yeah, right. Take a look at the security token manipulation routines for threads and processes (oh wait, they've all been quietly broken) Backwards compatibility be damned.
  
  --
  The cesspool just got a check and balance.
Is this news? by thecombatwombat · 2018-02-11 05:17 · Score: 1

I mean isn't this true of every unsandboxed PC (or Mac) app ever?
Does the sandbox promise to change this?
1. Re:Is this news? by QuietLagoon · 2018-02-11 05:19 · Score: 3, Informative
  
  ...Does the sandbox promise to change this?...
  Yes. A sandbox is a sandbox. You play inside your sandbox and are unable to affect or access things outside your sandbox that you should not access. It seems that, at some point, Apple forgot to restrict access to this API for sandboxed apps.
2. Re:Is this news? by AvitarX · 2018-02-11 05:27 · Score: 1
  
  Yes, the entire point of a sandbox is it can't get data from other apps.
  Or at least without specific warnings that it's doing something outside of just being a self contained app.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
3. Re:Is this news? by TheFakeTimCook · 2018-02-11 06:27 · Score: 2
  
  Yes, the entire point of a sandbox is it can't get data from other apps.
  Or at least without specific warnings that it's doing something outside of just being a self contained app.
  I wonder if any other security-conscious OSes have this security-hole? Looks like a pretty easy one to miss.
4. Re:Is this news? by gravewax · 2018-02-11 13:42 · Score: 1
  
  is that honestly a serious comment? you think they intentionally allowed an app to record information of other apps while running in a sandbox? So basically you are saying apple did this on purpose and rather than an oversight it was a malicious action on their part to allow covert data exfiltration and spying?
5. Re:Is this news? by omfglearntoplay · 2018-02-12 03:39 · Score: 1
  
  If it says sandbox, it needs to be sandbox. They better fix this.
Its a re-run, a late-late-show, ... by loslosbaby · 2018-02-11 07:58 · Score: 2

There is a saying: "You can program Fortran in any language"... and it applies here: "You can X Windows in any OS".
Screencast by tepples · 2018-02-11 09:18 · Score: 1

This should be a seldomly used operation, so it's not going to be invasive.
Taking 30 screenshots per second when preparing a tutorial video for some application might be more invasive.
1. Re:Screencast by AC-x · 2018-02-11 17:12 · Score: 1
  
  Taking 30 screenshots per second when preparing a tutorial video for some application might be more invasive.
  Do you want to grant this application access to your screen content?
  [ Yes ] [ No ] [X] Remember this answer
  Gee that was hard to fix wasn't it?
2. Re:Screencast by tepples · 2018-02-11 17:20 · Score: 1
  
  It's hard if the platform curator gates the ability to "[X] Remember this answer" behind some sort of review process that individual developers are unlikely to pass.
3. Re: Screencast by AC-x · 2018-02-11 18:23 · Score: 1
  
  And who said anything about doing that?
Re:Are people not aware... by Aighearach · 2018-02-11 09:54 · Score: 1

No. No they are not aware.
Any other questions?
Sandbox API vs. sandbox-exec by mattr · 2018-02-11 16:15 · Score: 1

Does anyone have info about how to easily run in a sandbox mac apps that are not from the app store and don't use the sandbox api? I only found the below article from 3 years ago, and had trouble getting it to work in the past. I just want to run an app in a jail and maybe as a less privileged user. I am not talk8ng about apps that voluntarily implement the api so that they are allowed in the app store. Otherwise I'm very uncomfortable about installing a dmg from some website even if it is a known vendor. It seems to be a major problem that it is so difficult for ordinary users to use a sandbox to jail apps.
https://paolozaino.wordpress.c...