14 DAY TRIAL // Security researcher Felix Krause has discovered a macOS vulnerability that allows cybercriminals to take screenshots of the screen activity and then turn to apps featuring OCR to read the text.
In an analysis on his blog, Krause explains that the CGWindowListCreateImage function can be abused by any Mac app, no matter if it’s sandboxed or not, to take screenshots of the screen without users knowing about it, even when the app itself is running in the background.
The researcher says a potential attacker could get access to all connected monitors, and could eventually be able to read passwords and keys from apps like password managers.
Needless to say, all the other data is exposed as well, including here email messages and personal information, like bank details and contact data. The information in the screenshots cybercriminals take can be automatically extracted with OCR software that reads text in photos.
No way to protect yourself
Apple has already been informed about the bug, but the company hasn’t yet replied, though a patch is expected to be shipped with the next Mac update.
As for the ways the bug can be fixed, Krause explains there are several ways to do that, though he recommends three methods that could provide control over the screenshot app.
First and foremost, the App Store review process could verify the sandbox entitlements for accessing the screen, so only legitimate apps would be allowed to do this, blocking any other malicious requests. Then, a permission dialog should be displayed to let the user know about it, and last but not least, show a notification whenever an app accesses the screen.
It remains to be seen which one Apple chooses to fix the bug in future versions of macOS, but for the time being “there is no way to protect yourself as of now.”