Security researcher Felix Krause has discovered a macOS vulnerability that allows cybercriminals to take screenshots of the screen activity and then turn to apps featuring OCR to read the text.
In an analysis on his blog, Krause explains that the CGWindowListCreateImage function can be abused by any Mac app, no matter if it’s sandboxed or not, to take screenshots of the screen without users knowing about it, even when the app itself is running in the background.
In experiments he carried out, Krause says he was able to use an OCR library to read various types of information captured using CGWindowListCreateImage. He argues that an attacker can:
- Read passwords and keys from password managers
- Read sensitive source code, API keys, or similar data
- Read emails and messages users open on their Mac
- Detect what web services users employ (e.g. email providers, password manager, app lists, etc.)
- Learn personal information about the user, like their bank details, salary, address, etc.
In an email conversation with Bleeping Computer, Krause says he privately reported the issue to Apple last November. Because the issue was not resolved, Krause went public with his findings on his blog yesterday, and filed a public bug with Apple.
Krause also proposed some mitigations that Apple could take into consideration to prevent abuse of the CGWindowListCreateImage function.
The easiest one to implement would be to put the user in charge by adding a permission dialog for apps that use this function to take screenshots of the user’s screen.