How to Bypass Gatekeeper & Exploit macOS v10.14.5 & Earlier

How to Bypass Gatekeeper & Exploit macOS v10.14.5 & Earlier

Apple's Gatekeeper security software for macOS (Mac OS X) is vulnerable to remote attacks up to version 10.14.5. An attacker that's anywhere in the world can exploit MacBooks and other Mac computers by sharing a single ZIP file.

The vulnerability was discovered by Filippo Cavallarin, a security researcher and CEO of We Are Segment, an Italian cyber-security company. In his blog post, Filippo demonstrates how a remote attacker can exploit the vulnerability. His video (below) also shows it in action.

At the time of this writing, there is no patch for the vulnerability. It affects macOS Mojave 10.14.5 and all prior versions according to Filippo, so High Sierra, Sierra, El Capitan, Yosemite, and so on are likely all vulnerable. He has made several attempts to communicate the issue to Apple but has not received a follow-up response after responsibly disclosing the vulnerability over 90 days ago.

[embedded content]

I'm going to show, in detail, how an attacker would exploit the vulnerability. But before we dive into setting up the attack, let's quickly go over three essential technologies.

Gatekeeper: A security feature of macOS designed to ensure that only trusted applications run on a Mac computer. Normally, when an app is downloaded through a web browser, Gatekeeper will either confirm the software is from a verified developer or immediately flag it as suspicious. With Filippo's exploit, Gatekeeper doesn't prevent a malicious app from executing.
Symbolic Links: Useful for maintaining copies of ..