SecureMac, Inc.

TextEdit flaw could have let hackers create malicious TXT files

April 13, 2021

A flaw in macOS TextEdit could have let attackers create malicious TXT files — files that could have led to DOS attacks, IP leaks, and more.

TextEdit flaw could have let hackers create malicious TXT files

This month, a security researcher named Paulos Yibelo published his write-up of CVE-2019-8761, a macOS TextEdit flaw that he discovered. The bug could have allowed bad actors to craft malicious TXT files — files that, if opened, could have been used to execute HTML, leak user data, and more. In this short article, we’ll discuss Yibelo’s research and say what it all means for Mac security.

Is this bug an immediate threat?

The research discussed in this article refers to a 2019 vulnerability that Apple has already patched. So unless you’re running a version of macOS Catalina that hasn’t been updated in a very long time, you don’t have to worry about any direct threat from CVE-2019-8761.

Nevertheless, many Mac users are unaware that non-executable file types (i.e. files that aren’t apps) can also cause serious security risks. For this reason, Yibelo’s research is definitely still worth talking about! 

How does CVE-2019-8761 work?

TextEdit, the Mac’s built-in text editing app, is the default app used for handling TXT files (i.e. files that end with the .txt file extension) on macOS. Because these files only contain text, most firewall apps — and Gatekeeper itself — treat TXT files as harmless.

However, Yibelo noticed that TextEdit also allows users to add basic text formatting (things like font color, bold or italic text, etc). To parse this kind of information, he reports, TextEdit “uses RTF format instead of TXT”. And this is where the vulnerability arises, because, as the researcher discovered:

TextEdit can be tricked into thinking the file opened is an RTF-HTML file even when the file extension is TXT. The ability to inject HTML into a TXT file obviously [opens] lots of potential attack vectors.

After some testing, Yibelo found that if you create a TXT file that includes a <!DOCTYPE html> declaration at the beginning, TextEdit will treat the file as HTML — despite the .txt extension! This could allow an attacker to craft a malicious TXT file by including a <!DOCTYPE> declaration and some HTML code in the file. If a user opened the file, then TextEdit would execute the malicious code as HTML.

That may seem like a surprisingly basic vulnerability for Apple to have overlooked, but for those familiar with the inner workings of macOS, it’s not really all that shocking. As SecureMac’s lead developer Nicholas Ptacek remarked to the journalist who wrote up CVE-2019-8761 for Vice:

macOS is kind of a hodgepodge of systems when it comes to determining a file type and how a given application should attempt to parse the content.

What could a hacker do with a malicious TXT file?

Practically speaking, how could the bad guys exploit this vulnerability? Yibeo mentions several possibilities in his write-up. He shows how an attacker could create malicious TXT files that would:

  • Force the Mac to open local files that generate infinite output, thus crashing the system and making it unavailable to the user (in other words, a Denial of Service attack).
  • Get macOS to attempt to access a remote resource via the kernel’s AutoMount functionality, which would reveal the user’s real IP address to an attacker — even if they were running a proxy.
  • Read sensitive local data and then use a “dangling markup” technique to exfiltrate that data to a server controlled by the attacker.

Important takeaways for Mac users

Yibelo’s research is no doubt interesting, but Apple has already patched the vulnerability that he discovered. So can this discussion of malicious TXT files teach us anything about Mac security in general?

Absolutely! Here are three key points to remember — and some steps that you can take to stay safer:

  1. The Mac threat landscape is constantly evolving — and bad guys are always finding new ways to attack macOS. In the past year, we’ve seen a rise in macro-based attacks on macOS, direct attacks on developers, and an overall increase in the quantity and sophistication of Mac malware threats.

    For this reason, all users should do their best to stay on top of the evolving threatscape by following a news outlet like this one, a good security podcast, or the Twitter feeds of your favorite cybersecurity accounts.

  2. macOS is, overall, a very secure platform. But in the words of one prominent security researcher, “a Mac is a computing system—and thus it’s going to have vulnerabilities!” Despite the protestations of loyal fans (and the hype from the Marketing Department), yes, Macs do have security issues.

    The good news is that Apple is usually pretty quick to patch its bugs, so all users can enable automatic updates as a basic precaution. In addition, you can enhance your security on a Mac by using robust anti-malware software (over and above what you get with the native macOS tools) and an outbound firewall app.

  3. Yibelo’s research demonstrates how supposedly “harmless” file types like TXT files can be weaponized by hackers. To put it bluntly, unknown files should never be considered safe to open, no matter what file extension you see. As mentioned above, bad actors have already started using seemingly innocuous Microsoft Office files to attack macOS. Apple’s own security updates frequently make reference to the dangers posed by maliciously crafted image files — another file type that’s not usually on the radar of most Mac users when it comes to security threats. And some Mac security researchers have found ways that malicious actors might abuse other, even less-well-known file types.

    For this reason, if you don’t know where a file comes from, or who’s sending it, then you shouldn’t assume that it’s safe. Remember that this advice applies not only to files downloaded from the Internet, but also to links and files sent via SMS or IM apps, and even to scannable QR codes as well. Bottom line? If you don’t know what it is, or who sent it, don’t download it, open it, click it, or scan it!

Get the latest security news and deals