
MacOS security protections can easily be bypassed with ‘synthetic’ clicks - pseudolus
https://techcrunch.com/2019/06/03/macos-security-flaw-synthetic-clicks/
======
Ennis
The attack vector is not broad which makes the headline and story
sensationalist.

Yes - plugins add risk because they are dynamic and have an uncontrolled
upgrade path with potentially different or non-existent signing systems. That
is why plugins and extensions are not allowed on the more-controlled and newer
iOS.

I doubt this gets addressed very quickly - if anything it is easier and
cheaper to audit all VLC extensions and introduce a signing system. Or to kill
VLC's trusted cert/status altogether and treat it as a custom dev app -
install-at-your-own-risk.

------
java-man
apart from a clever synthetic click, the takeaway from this story is -

"But a bug in Apple’s code meant that that macOS was only checking if a
certificate exists and wasn’t properly verifying the authenticity of the
whitelisted app."

