Whenever you turn off your Mac, a popup will appear: “Are you sure you want to turn off your computer now?” Below the tooltip is another option that most of us likely overlook: the choice to reopen the programs and windows you currently have open when your machine is turned back on. Now, researchers have found a way to exploit this “stored state” vulnerability — and it can be used to break into key layers of Apple’s defenses.
Susceptible to a process injection attack to breach macOS security, the vulnerability could allow an attacker to read every file on a Mac or take control of a webcam, says Thijs Alkemade, a security researcher at Dutch cybersecurity firm Computest who discovered the flaw. “Essentially, it’s one vulnerability that can be applied to three different places,” he says.
After deploying the initial attack on the saved state feature, Alkemade was able to penetrate other parts of the Apple ecosystem: first by breaking out of the macOS sandbox, which is designed to limit successful hacks to a single program, and then by bypassing System Integrity Protection (SIP). ), key protection designed to stop authorized code from accessing sensitive files on a Mac.
Alkemade, which is presenting the work at the Black Hat conference in Las Vegas this week, first found the vulnerability in December 2020 and reported the problem to Apple through its bug bounty scheme. He says he was paid a “pretty good” fee for the research, though he declined to say how much. Since then, Apple has released two updates to fix the flaw: the first in April 2021 and again in October 2021.
When asked about the flaw, Apple said it had no comment on Alkemade’s presentation. The company’s two public announcements about the vulnerability did not provide details, but said the problems could allow malware to leak sensitive user information and escalate privileges for an attacker to move through the system.
Apple’s changes can also be seen in Xcode, the company’s development workspace for app creators, according to a blog post describing the attack by Alkemade. The researcher says that while Apple fixed the problem for Macs with the Monterey operating system, which was released in October 2021, previous versions of macOS are still vulnerable to the attack.
There are several steps to successfully launching an attack, but they mostly go back to the original vulnerability injection process. Process injection attacks allow hackers to inject code into a device and run the code in a way that is different from what was originally intended.
Attacks are not uncommon. “It’s quite common to find a process injection vulnerability in a particular application,” says Alkemade. “But to have such a universal application is a very rare find,” he says.
The vulnerability found by Alkemade resides in a “serialized” object in the saved state system that stores applications and windows open when the Mac is shut down. This saved system state can also run while using your Mac in a process called App Nap.