MacOS Zero-Day Vulnerability Allows Synthetic Mouse Clicks to Run Malicious Code

A zero-day vulnerability has been discovered in Apple’s Mojave operating system which could be exploited to run malicious code on vulnerable devices without being detected.

The zero-day flaw was discovered by Digita Security’s chief research officer Patrick Wardle. The flaw is in Mojave’s application verification system and could be exploited to run whitelisted applications that have been doctored to run malicious code by mimicking mouse clicks. Wardle says the vulnerability could be used in a second-stage attack to mask further exploitation of a compromised system.

The security measures in Mojave are supposed to prevent unauthorized individuals from installing malicious apps or getting apps that have already been installed to perform malicious actions. Should such a scenario arise, a pop-up window would appear on screen and the user would be required to confirm or deny a particular action.

The flaw would allow an attacker to use ‘synthetic’ mouse clicks to authorize actions, unbeknownst to the user. This could, for instance, allow the attacker to turn on the microphone and eavesdrop or discover the GPS coordinates of the compromised device.

Wardle notes that certain applications are totally trusted by Apple. For these whitelisted applications, an attacker with access to the device could change the source code of the applications and change their functions to perform malicious acts.

Wardle showed that it is possible to manipulate the code of VLC Media Player to perform malicious actions because the application is trusted by Apple. While the actions could be noticed on screen by the user, Wardle showed that detection could be avoided by using synthetic mouse clicks only when the device was in sleep mode.

An unauthorized individual would need to have already gained access to the device through a backdoor, but once remote access to the device had been established, the system could be further exploited.

This is not the first zero-day flaw in macOS that has been discovered by Wardle. Wardle has now demonstrated on four occasions how synthetic mouse clicks can be used to bypass macOS security controls. Wardle said it would be naive to think that there are no other hackers who have discovered flaws in Apple’s security protections and expressed frustration that Apple has not comprehensively fixed the synthetic mouse click vulnerabilities in its operating system.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of