When a file is downloaded from the internet, macOS places it in “quarantine” by adding the com.apple.quarantine extension. This ensures that the user is warned of potential security risks before the file is executed.
Cavallarin has found a way to bypass the file quarantine feature by exploiting DOM-based XSS vulnerabilities in an HTML file named rhtmlPlayer.html, which is stored in the /System/Library/CoreServices folder of the OS.
According to him, this file contains two DOM-based XSS flaws that can be exploited by hackers via Uniform Resource Identifier (URI) components.
One way to exploit this vulnerability is to use .webloc files that allow users to save website addresses to the local system. In macOS, this type of files is automatically opened with the Safari web browser.
Segment has posted a video showing how hackers can exploit this flaw to steal sensitive data from the targeted device:
The vulnerability affects affect macOS 10.12, 10.11, 10.10 and likely prior versions of the operating system. The problem has been reported to Apple and has been patched by the company with the release of macOS High Sierra 10.13, but without even mentioning it.
This is not the only macOS vulnerability revealed this week. Cybersecurity specialist Patrick Wardle discovered a critical zero-day vulnerability in macOS, that could allow any installed application to steal usernames and plaintext passwords of online accounts stored in the Mac Keychain.