Security Researcher Accidentally Stumbles on a Way for Malware to Click “OK” For you

One of the simplest ways to stay safe and secure on your Mac is to pay close attention to the warnings and prompts that the system often pops up when you’re in the middle of things. Many times, you might even expect these prompts to appear. It’s just macOS’s way of saying, “Hey, are you sure about that?” when something involves sensitive files or has extensive permissions. When you aren’t expecting them, they’re even more important: as your first line of defense, they can be a big red flag that a file or program on your Mac is trying to do something it shouldn’t. That can help you avoid installing malware, or to know you have an infection already.

As it turns out, though, there is a flaw underlying the way these prompts currently work. If malware were to infect your Mac successfully, it could use this flaw to automatically click to dismiss these security prompts before you ever have a chance to see them. At first glance, this flaw might not seem new; Apple patched a bug in macOS late last year that allowed these “synthetic clicks” to occur and bypass notifications. However, noted Apple security researcher Patrick Wardle, presenting at the recent DEFCON gathering in Las Vegas, recently revealed he had found a way around this patch — and he did it by accident, too.

While writing code for a proof of concept, Wardle wanted to generate a synthetic click which macOS would detect and block, allowing a prompt window to appear as normal. After copying and pasting some code, fiddling around, and re-compiling, though, he suddenly discovered the prompt now disappeared as if a real synthetic click had occurred. What was going on is an excellent example of how sometimes, lapses in security come from unusual places.

Wardle’s bad code told the Mac something impossible was happening: two clicks at once. The code sent a signal to the system saying that a “mouse down” event (that is, a click) had occurred. It then sent another “mouse down” signal immediately; this would be like a user somehow clicking again without ever letting go of the mouse button. macOS, however, did not differentiate and thus allowed the click to occur.

For bad guys to exploit this on your Mac, they’d have to have a foothold already — so this flaw is a low-grade threat to most users. Wardle’s zero-day reveal of the defect will likely spur Apple to quick action. The good news: the fix should be relatively minor and easy. Keep an eye out for upcoming macOS patches to keep your machine secure.