As noted in this article, “a security researcher has disclosed a new flaw that undermines a core macOS security feature designed to prevent apps, or malware, from accessing a user’s private data, webcam or microphone without their explicit permission.” Recent privacy protections, expanded in the Mojave version of the Macintosh operating system, were meant to make it more difficult for malicious apps to get access to the user’s private information, unless the user allows access through a pop-up dialog.
However, these protections weren’t as good as Apple previously believed. This bug is the result of a whitelist of approved applications that are allowed to create “synthetic clicks” to prevent them from breaking. This includes the popular video playing application VLC, which the researcher showed could access a user’s camera, microphone, and other Macintosh computer services, through a plug-in that performed malicious actions.
This is a reminder that users should be aware anytime an application asks for permission to download and/or load additional software. In this case, any application that requires a download and installation of a plug-in would require closer scrutiny. This is especially true for anyone who attempts to access files through something like torrent services, which could potentially request to download a plug-in to view the downloaded file (or else the file that is downloaded through the torrent file could also be a payload with malicious intent, even if not requiring a plug-in).
If you’d like to discuss further, please let us know!