TLDR

Sandbox implemented in macOS does not cover pasteboard. That blog post shows that you can create fully sandboxed malware (that may pass Apple’s review, bypassed many times in the past) stealing & modifying pasteboard values.

What sandbox is?

App Sandbox is an access control technology provided in macOS, enforced at the kernel level. It is designed to contain damage to the system and the user’s data if an app becomes compromised. Apps distributed through the Mac App Store must adopt App Sandbox. Apps signed and distributed outside of the Mac App Store with Developer ID can (and in most cases should) use App Sandbox as well. ~ Apple’s documentation

Later we can read that App Sandbox limits access to sensitive resources. But what Apple means by ‘sensitive resources’? There is also an answer to that:

Okay, so pasteboard is not included here.

What can go wrong?

Let’s discuss if pasteboard may be such a resource. What could go wrong if a malicious app had access to our pasteboard? Some examples below:

Okay, I believe you may be convinced that pasteboard should be considered as a ‘sensitive resource’.

Coding POC malware!

Let’s find a class responsible for interacting with the system’s pasteboard.

Okay, so we have found one. Now we are going to write some code:

void setPasteboardItem(NSString *str) {
    NSPasteboard *pasteboard = [NSPasteboard generalPasteboard];
    [pasteboard clearContents];
    [pasteboard setString:str forType:NSPasteboardTypeString];
}

NSString* getPasteboardItem() {
    NSArray *pb_items = [[NSPasteboard generalPasteboard] pasteboardItems];
    NSString *pbi_s;
    for(NSPasteboardItem *pbi in pb_items) {
        pbi_s = [pbi stringForType:NSPasteboardTypeString];
    }
    return pbi_s;
}

As you can see, this code sets and gets pasteboard items when their types are string.

Sandboxing the app

#Beautifying

Let’s add fancy GUI to make this blog post shareable on social media (lol 😂).

The complete proof of concept

How Apple may fix this?

Status

15th December 2018 - Issue sent to Apple

3rd July 2019 - Apple says it is expected behavior.

Shares