Gatekeeper Hack: How to Bypass Apple Security

Gatekeeper hack allows cyber attackers completely bypass famous Mac security. Using specially crafted exploit cyber attackers are able to open malicious Mac app, even if it is configured to open only those downloaded from App store.

Gatekeeper was introduced in 2012 as a way to minimize security risks by neutralizing social engineering attacks, that mislead Mac users into installing malware and the requirement of code-signing makes it sure that apps were not modified or downloaded via unencrypted communications.

Patrick Wardle, director of research of security firm Synack, found an Apple signed binary, which upon execution runs a separate app located in the same folder. Due to the security concerns the names of files have not been disclosed. Therefore, let’s call them Bin 1 and Bin 2.

What the Gatekeeper hack exploit does is simple, it renames Bin 1 and packages it into Apple disk image. Since the renamed Bin 1 becomes signed by Apple itself it will be instantly accepted by Gatekeeper and executed by Mac OS X.

After gaining access to core OS, Bin 1 will search for Bin 2 in the same folder. Because Gatekeeper is capable to only check the file clicked by the user, the exploit will change Bin 2 with malicious one using same disk image and filename. After this, Bin 2 is not required to have a certificate and therefore, it is able to install literally anything a hacker wants.

Gatekeeper hack exploit works on all Mac OS X versions including Yosemite and El Capitan. Wardle claimed that he was able to successfully test his exploit on the beta version of El Captain.

Patrick Wardle made a good point about security and privacy, by saying that:

“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses. I’m sure there are other Apple-signed apps out there that can also be abused to bypass Gatekeeper.”

This vulnerability was reported 60 days ago and as we are aware, Apple is working on the fix. Hopefully, this security hole will be shut down asap.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.