Despite the fact that Apple announced the improved privacy protection of macOS Mojave 10.14, a new security flaw was found.
The security experts reported an unexpected bypass of privacy protection which uses an ordinary application that needs no permission to access user’s address book.
According to the researchers, the bypass entered the system via: System Preferences > Security & Privacy > Privacy, and most probably, it was addressed by Mojave updates. Soon after the first security flaw, a few more followed.
A week ago, the browser extension developer Jeff Johnson reported that a new issue was affecting all Mojave versions, including the 10.14.3 supplemental update.
Johnson said that he has found a way to access ~/Library/Safari without asking the system or user for any permission, although this directory should only be accessible via privileged apps like macOS Finder. In this way, a malware application could examine users’ browsing history and threaten their privacy.
The only positive news here is that the flaw cannot affect sandboxed apps (isolated applications with improved security) and notarised apps (applications signed by a Developer ID that have passed Apple’s automated malware checks).