Fastlane Tools founder Felix Krause discovered that virtually any application on the system (whether it's in a sandbox or not) can spy on a user using legitimate macOS functionality.
Krause described the problem on his personal blog and warned that there was no patch for it yet, although the expert notified Apple engineers of his find back in November 2017. Now the specialist decided to disclose the data publicly, and also filled in the corresponding bug report.
The problem lies in the use of the CGWindowListCreateImage function, which is often used by applications to take screenshots or capture what is happening on the device screen. The fact is that no special user permission is required for this, and a malicious application can run in the background or be in a sandbox, but still have access to literally every pixel.
The researcher explains that when combined with optical character recognition (OCR), an attacker can "read" information on the monitor of his target. Thus, a criminal can successfully intercept information such as passwords and various keys from password managers; get access to confidential source codes and API keys; read emails and messages that the user is viewing; find out what web services and applications the victim is using, and so on.
Krause offers Apple developers possible solutions to the problem. For example, you can make it mandatory to ask the user for permission before activating the CGWindowListCreateImage function, and also notify the user that the application is taking screenshots.
