Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

Good thing I've moved my porn to Oculus Rift

[SensitiveMale]

from my mac.

Re:

[Megol]

Of course he have - it's his mother!

Cue Google's Eric Schmidt

[Anonymous Coward]

To say, "If that worries you, maybe you're doing something you shouldn't be doing."

Re:

[Xtifr]

Like online banking, shopping and trading.

To be fair, there are some strong arguments against those. Although I tend to doubt that Google or Apple really endorses those arguments. :D

Re:

[tepples]

Would you prefer to do shopping, banking, and trading through the Postal Service instead of online? Or what third option am I missing other than online and through mail for products and services not offered within reasonable cycling distance of your home?

Re: Cue Google's Eric Schmidt

[slazzy]

I perfer to use my walled garden ipad for banking.

Implemented incorrectly

[Anonymous Coward]

Should only be able to screenshot windows that are owned by the running process, not the entire display screen without being granted a specific permission to access whole display.

Re:

[Anonymous Coward]

This is Tim Cook's Apple we're talking about here. The guy allowed a release of an OS where one could log in with a blank root password. Yeah, I know, he's a "supply chain genius" which is why the iPhone X wasn't available for three months after it was announced and the fucking homepod just shipped two months late.

Re:

[Anonymous Coward]

Recent problems notwithstanding, Apple's operating systems have gotten vastly more secure under Tim Cook. Take a look at the scarcity of jailbreaks, for instance, or the inability for nation states to crack iPhone security, or the dedicated hardware functionality. There's a reason iOS vulnerabilities cost far more money on the black market than its competitors.

Re:

[gravewax]

A CEO is responsible for the actions of his staff (within reason), he has to set the standards, policy and culture for his directs to follow and down the chain. CEO's are paid their obscene salaries as they are expected to be personally responsible and direct the company in all aspects. The idea that a blank password for a root account can happen is a direct failing of security education for staff or enforcement of security reviews which ultimately is his responsibility and I am sure if you asked him he wou

Re:

[Wrath0fb0b]

Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.

How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?

Re: Implemented incorrectly

[Anonymous Coward]

Easy... Display a dialog box asking if the user authorizes the operation. This should be a seldomly used operation, so it's not going to be invasive. If you see a dialog ever few seconds, you can at least know something shady is happening.

Screencast

[tepples]

This should be a seldomly used operation, so it's not going to be invasive.

Taking 30 screenshots per second when preparing a tutorial video for some application might be more invasive.

Re:

[AC-x]

Taking 30 screenshots per second when preparing a tutorial video for some application might be more invasive.

Do you want to grant this application access to your screen content?
[ Yes ] [ No ] [X] Remember this answer

Gee that was hard to fix wasn't it?

Re:

[tepples]

It's hard if the platform curator gates the ability to "[X] Remember this answer" behind some sort of review process that individual developers are unlikely to pass.

Re: Screencast

[AC-x]

And who said anything about doing that?

Re:

[Gr8Apes]

Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.

How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?

You have obviously never programmed in MS land. The contract is built upon sand.

Re:

[Gr8Apes]

You have obviously never programmed in MS land. The contract is built upon sand.

I actually have developed in the MS land (as well as Linux) for the last 20 years. The MS Land you speak of is actually the best for maintaining compatibility, sometimes to the point of pain where to avoid some fringe cases of breaking compatibility they will create a new version of the API instead. So I would say your comment tells me you have obviously never programmed in the MS Land.

Yeah, right. Take a look at the security token manipulation routines for threads and processes (oh wait, they've all been quietly broken) Backwards compatibility be damned.

Is this news?

[thecombatwombat]

I mean isn't this true of every unsandboxed PC (or Mac) app ever?

Does the sandbox promise to change this?

Re:Is this news?

[QuietLagoon]

...Does the sandbox promise to change this?...

Yes. A sandbox is a sandbox. You play inside your sandbox and are unable to affect or access things outside your sandbox that you should not access. It seems that, at some point, Apple forgot to restrict access to this API for sandboxed apps.

Re:

[gravewax]

is that honestly a serious comment? you think they intentionally allowed an app to record information of other apps while running in a sandbox? So basically you are saying apple did this on purpose and rather than an oversight it was a malicious action on their part to allow covert data exfiltration and spying?

Re:

[AvitarX]

Yes, the entire point of a sandbox is it can't get data from other apps.

Or at least without specific warnings that it's doing something outside of just being a self contained app.

Re:

[TheFakeTimCook]

Yes, the entire point of a sandbox is it can't get data from other apps.

Or at least without specific warnings that it's doing something outside of just being a self contained app.

I wonder if any other security-conscious OSes have this security-hole? Looks like a pretty easy one to miss.

Re:

[omfglearntoplay]

If it says sandbox, it needs to be sandbox. They better fix this.

Re:

[Aighearach]

No. No they are not aware.

Any other questions?

Its a re-run, a late-late-show, ...

[Greg S.]

There is a saying: "You can program Fortran in any language"... and it applies here: "You can X Windows in any OS".

Sandbox API vs. sandbox-exec

[mattr]

Does anyone have info about how to easily run in a sandbox mac apps that are not from the app store and don't use the sandbox api? I only found the below article from 3 years ago, and had trouble getting it to work in the past. I just want to run an app in a jail and maybe as a less privileged user. I am not talk8ng about apps that voluntarily implement the api so that they are allowed in the app store. Otherwise I'm very uncomfortable about installing a dmg from some website even if it is a known vendor. I