[HN Gopher] Can you trust that permission pop-up on macOS?
___________________________________________________________________
Can you trust that permission pop-up on macOS?
Author : nmgycombinator
Score : 101 points
Date : 2025-05-12 18:26 UTC (4 hours ago)
(HTM) web link (wts.dev)
(TXT) w3m dump (wts.dev)
| sefrost wrote:
| My work Mac regularly pops up an alert box claiming that Slack is
| "trying to install a new helper tool". I have no idea why or what
| it means. I asked IT how I could verify it was legit and they
| didn't know.
|
| I often wonder if this could also be exploited because it asks
| for a password and it keeps popping back up every time I click
| cancel.
| nmgycombinator wrote:
| I'm not aware of the "helper tool" popup, but I would
| definitely be skeptical of it. Even if it is Slack, Slack is
| just a messaging application. I don't know what legitimate need
| it would have for a helper tool. I would ask Slack support,
| though (and hopefully you can get a real answer and
| explanation).
| 1oooqooq wrote:
| > Slack is just a messaging application
|
| its sold more as a way to store and all conversations than
| the ability to be a messaging application.
|
| the original pitch was to make all information, even private
| conversation of previous employees, searchable.
| nmgycombinator wrote:
| Damn. That sounds pretty dystopian. But typical for
| American corporate life.
| frollogaston wrote:
| I don't really expect my 1:1 conversations on the company
| chat to be invisible to the company.
| nmgycombinator wrote:
| I don't either. But it's still a bit creepy regardless.
| trollbridge wrote:
| In environments like this, my trusted colleagues and I
| communicated using Signal (and before that, WhatsApp).
|
| One somewhat paranoid department that was convinced they
| were being spied on (they weren't; I saw the Slack admin
| dashboard and management was too cheap to pay for the
| retention and spying features) maintained the use of an
| ancient Jabber based group chat for their own internal
| communications.
| cyberax wrote:
| Why? Companies already have to retain the data (in case
| of lawsuits, etc.).
|
| Slack is also used because it allows to create persistent
| channels that are searchable. So they often end up being
| a knowledge base for the company.
| nmgycombinator wrote:
| I guess that's a fair point. It cuts both ways, but given
| that so many people use Slack as opposed to talking, the
| exact words people used and when are could be open to
| view. Whereas, before all of this, you may only just have
| the minutes of any official meetings. Any side chatter
| not in the meeting room and/or exact phrasings would be
| lost to time.
| frollogaston wrote:
| It doesn't need special permissions on your Mac to do that.
| makeitdouble wrote:
| > Slack is just a messaging application.
|
| I kinda like this angle. While Slack makes an effort to work
| basically everywhere with low effort, I wonder what would
| follow if it wasn't the case.
|
| For instance if for some stupid legal reason Slack was banned
| from macos, how many people would just switch to another OS ?
| I'd bet it would be a non trivial amount of users at this
| point.
| dylan604 wrote:
| or you know, just use the web app
| makeitdouble wrote:
| If it was a legal ban I'd assume Apple would go pretty
| far to make it happen, app or not.
| dcrazy wrote:
| This dialog comes from the System Management framework [1].
| Slack is probably installing a privileged helper tool
| (conceptually similar to a setuid root binary) so that it can
| update itself regardless of where it is installed or which user
| originally installed it.
|
| [1]:
| https://developer.apple.com/documentation/servicemanagement/...
| QuercusMax wrote:
| Seems like it should only need to do this once. I get this
| with almost every Slack and VSCode update. The correct
| solution for me is to quit Slack.app and let my company's
| management software do the update for me.
| closeparen wrote:
| Maybe it's smart enough to require re-authorization when
| the binary changes?
| ubercow13 wrote:
| Why would the helper binary change that much? A setuid-
| ish binary should be ultra simple and not constantly
| changing I'd assume.
| QuercusMax wrote:
| ...and it should be able to replace itself.
| socalgal2 wrote:
| I don't use slack except in the browser. I never get a
| prompt for VSCode. It must be one of your extensions.
| trollbridge wrote:
| Chances are they have some kind of management software like
| SentinelOne that is preventing Slack from doing this (or
| storing the permission to do so), so it just asks over and
| over. Which is arguably worse.
| nmgycombinator wrote:
| A software updater was going to be my best guess at what this
| was. I guess I understand the flexibility it brings, but it
| definitely does have some security trade-offs.
| e40 wrote:
| I installed Slack from the app store and never see this
| popup.
| accrual wrote:
| Discord does this as well I believe. I often needed to enter
| the administrator password to install a helper after the
| system had been off for a couple days.
| jonplackett wrote:
| And they are sooooo insistent. Just keep bugging you
| forever
| nartho wrote:
| Discord, Slack and VS Code desktop apps are all built using
| Electron, so I'm guessing this is an Electron issue.
| 1shooner wrote:
| I get this from every Electron-based app that I have run as
| multiple OS users.
| kccqzy wrote:
| That does sound like it could be exploited, but with only as
| much exploitability as some random app that requires your
| password (for analogy consider a Linux binary that refuses to
| run unless being run as root). Ultimately it's a matter of
| deciding whether you trust the developer of the app and whether
| you trust this app is really from that developer. The day Apple
| prevents users from giving root access to a third-app app is
| when the Mac fully becomes a walled garden, and you can expect
| pages of HN complaints.
|
| Overall I think it's good paranoia to not grant root
| permissions to apps that do not clearly need them such as
| Slack.
| aziaziazi wrote:
| Being paranoid, would it be possible that another app already
| installed (but not trusted enough to give privilege, let's
| say a shady mouse driver or screenshot app) detect when slack
| (more trustfully) does launch to open a dialog at that
| precise time and deceive the user? Let's say the shady app is
| named << SIack >> or something close enough to be missed -
| but brand itself as innocents << screenshotPro4000 >> in the
| app itself graphics so you're not suspicious.
| nmgycombinator wrote:
| > The day Apple prevents users from giving sudo access to a
| third-app app is when the Mac fully becomes a walled garden,
| and you can expect pages of HN complaints.
|
| I can see this happening, but it probably won't anytime soon.
| macOS is still open enough, and with the assumption that
| sometimes processes need root (see third-party Launch
| Daemons).
|
| It would probably break quite a lot. But I wouldn't be
| surprised if they eventually gradually move macOS in that
| direction.
| haiku2077 wrote:
| I get this popup all the time.
|
| It contains no information that I can reasonably use to match a
| decision on whether or not to allow it, so I always click
| cancel on it.
| jonplackett wrote:
| These types of 'security' blockers are so dumb because they
| train people to act dumb. Even if they're real, the next time
| they may not be.
|
| It's like how my bank often calls and wants me to give them my
| personal info for 'data protection' before we can speak. These
| are legit bank calls, training people to give out personal info
| to strangers.
| hbn wrote:
| As of the latest macOS update, every app is now asking every
| few days if it can have access to devices on your local
| network, or something to that tune. My theory right now is
| it's something in chromium that automatically asking for this
| and Electron apps will do this out of the box, but I can't
| remember which apps exactly have been doing this.
|
| Regardless, yes it causes the exact issue you're talking
| about. I don't even read what the popups say anymore, I'm
| just blindly hitting an accept button.
| jonplackett wrote:
| I'm surprised Apple have let this happen.
|
| When you make an iOS app and requested permission for
| something - photo library or location etc. you MUST write
| out a sentence of what you'll use it for which is shown to
| the user.
|
| Why not the same for Mac apps?
| reaperducer wrote:
| _Why not the same for Mac apps?_
|
| How would Apple enforce that?
|
| iOS apps go through the App Store, so proper behavior can
| be enforced.
|
| The apps people are complaining about here are downloaded
| from the vendor. Apple is not involved.
| beezlewax wrote:
| This is chrome for sure. There a bunch of threads if you
| search the actual error message you'll get hits on
| stackoverflow and in apple forums
| codebje wrote:
| If someone cold calls me and asks me to verify myself, I
| refuse.
|
| If it's an expected call or they give me a good reason to,
| I'll call their listed contact number back.
|
| So far I have not missed out on anything of consequence by
| refusing to identify myself to someone who initiated contact
| with me.
| jonplackett wrote:
| I likewise refuse the bank's call and they're always really
| confused why I'd do such a thing - so clearly they have
| successfully trained all their other customers to be morons
| - and then they will no doubt blame them when they get
| conned.
| jq-r wrote:
| And it so annoying because it steals focus so as you're
| writting a message it suddenly stops taking your input and
| "helpfully" continues typing your text into the password box.
| floatrock wrote:
| Not an os-x developer, but I've always wondered are there any
| OS guardrails against any (malicious) application showing a
| window styled the same way as that popup box and just stealing
| your password?
| rplnt wrote:
| And they somehow stack in time. So after a weekend it's popping
| up over and over until I give up and quit Slack. It's been like
| this for a year I'd say. There's no way to stop them and they
| always get focus, which is extremely annoying. How can I revoke
| this permission from Slack? Seems pretty abusive.
| e40 wrote:
| > The patch is released
|
| I assume that is with 15.5...
| nmgycombinator wrote:
| > which was patched in today's releases of macOS Sequoia 15.5
| et al.
|
| Correct.
| commandersaki wrote:
| Love this guy's research, such good presentation!
| nmgycombinator wrote:
| Thank you very much! Although I'm not a guy, just fyi! I'm just
| a person :)
| JohnFen wrote:
| Honestly, I don't really trust any permissions popups on anything
| anymore. They are often porous enough to count as "security
| theater".
| nmgycombinator wrote:
| I honestly think this is a good skepticism to have. I generally
| don't hit "Accept" (or "Allow" or whatever) on any permission
| pop-up unless I know exactly what it's doing and what I need it
| for.
| coolcase wrote:
| And at $Corp I get constant popups to enter my password or
| confirm an action. Like 50-100 a day.
| nmgycombinator wrote:
| I bet threat actors are just salivating at the thought of
| giving you a fake password prompt.
| silvestrov wrote:
| It took Apple a full year to release the fix. That is a very long
| time.
|
| _2024-05-04 I leave several additional update messages as I
| continue testing my PoC_
|
| _2025-05-12 The patch is released_
| nmgycombinator wrote:
| Yeah. I'm guessing there must be some legitimate (internal?)
| use cases for the behavior I found and they spent all that time
| working out the kinks to allow those edge cases while also not
| allowing malicious ones. Or perhaps it wasn't as high on their
| priority list as it required a higher level of user interaction
| (the user had to click "Allow"). In any case, though, I do
| believe that a year is a shockingly long time for them to take.
| zoomTo125 wrote:
| Almost a year to release a patch. If Apple takes that long, there
| is no hope for other vendors.
| nmgycombinator wrote:
| This is Apple-specific, though. So there aren't really any
| other vendors that are relevant to this specific scenario. I
| will say, they have been quicker with my other reports; taking
| just a few months as opposed to a full year.
| EGreg wrote:
| I once sent an email to Steve Jobs back in 2009 or so
|
| I told him that the MacOS permissions dialog could easily be
| spoofed, and that Macs should have a secret phrase or icon that
| you choose that they'd display inside these dialogs, and prevent
| their screen capture like what they had been doing with their
| recent DRM features.
|
| Never heard back from him
|
| And it never got implemented. Any program can still continue to
| spoof it and grab your system password.
| nmgycombinator wrote:
| I mean, at that point and app could just put up a fake prompt
| using the UI framework. And I think users would be more
| hesitant to type a full password than just click a button. But
| if you're talking about a bug similar to mine where an attacker
| could use the OS's own code against it and make it show a
| prompt with misleading content, you might be able to report it
| to Apple Product Security and maybe get a bounty.
| trollbridge wrote:
| I mean, a website could display a crafty popup-appearing box
| and try to get you to type in your username and password. Not
| really sure how you can prevent that.
|
| Vista used the "the background dims quite a bit" to try to
| deal with that.
| nmgycombinator wrote:
| Yeah. I think the key thing in my vulnerability is that it
| abused a legitimate OS prompt _and_ had the consequences of
| that prompt be applied to something separate from what the
| prompt text itself said it would.
| EGreg wrote:
| I just told you how... it would show your special icon or
| phrase inside so you'd confirm it before you typed
| anything.
|
| The phrase would be managed through a system screen, like a
| login screen
| sureglymop wrote:
| I wonder why they don't add a little led to their laptops
| that would indicate that it really is the system asking for
| your password. Kind of like the camera led.
| muppetman wrote:
| I remember the I'm a Mac and I'm a PC ads that mocked this on
| Vista. And now my Mac is worse than Vista. It's so annoying.
| nmgycombinator wrote:
| Out of curiosity, what do you find annoying about it?
| muppetman wrote:
| Every time I update an app I have to be told I downloaded it
| from the Internet and do I trust it. Can this app look on the
| local network? Constantly being nagged to the point I don't
| even check/care anymore. Exactly what Vista used to do.
| nmgycombinator wrote:
| The local network popup thing is too overdone in my
| opinion. However, I do think it is a good choice (in some
| respects) for Apple to have the "this is a program
| downloaded from the Internet", even if it can be annoying.
| It might also be a push to get developers to publish on the
| App Store (where Apple can be more sure (hopefully) that
| the apps are safe).
|
| It's a double-edged sword in my opinion. I think it's good
| that the OS is looking out for the user in a lot of cases.
| I also understand how it can give the users pop-up fatigue.
| bigyabai wrote:
| > It might also be a push to get developers to publish on
| the App Store (where Apple can be more sure (hopefully)
| that the apps are safe).
|
| This is exploitation of developers, plain and simple.
| Apple should secure their runtime, not roleplay as a
| software rent-a-cop that manually (and fallibly) inspects
| submissions. The App Store is a blatant moneymaking
| racket, on mobile and desktop alike. "Security" is a fig
| leaf for the perverse incentive Apple has to corral
| developers under their thumb.
| nmgycombinator wrote:
| Honestly, I think you have a fair point there. I
| personally don't believe that any system could be 100%
| secure. But I do think there is a point to be made on the
| efficacy of securing the runtime compared to individual
| app inspection.
| charcircuit wrote:
| Apple does both. They secure the runtime and review apps.
| bigyabai wrote:
| And to NSO Group's delight, they don't review SMS
| messages or Safari contents either. The "curated
| security" shtick is a lie, it does not protect anyone and
| doesn't function reliably in the first place. Both
| targeted malware and generic scams are rampant and
| unrestrained on iOS. Many of them are promoted as iPhone
| Search Ads, or suggested Siri results.
|
| The knock-on effects it has are even worse. By relying on
| this game of shuffling private entitlements around, Apple
| has less incentive to _actually_ review what developers
| are doing with them. Look at the Uber iPhone app 's
| screenrecord permissions, or when TikTok stole iOS
| clipboards.
|
| Apple uses "secure" review as an excuse to _not_ review
| apps or secure their runtime.
| charcircuit wrote:
| But they do secure their runtime. It's not an excuse not
| to.
| trollbridge wrote:
| I simply run `xattr -d downloaded-app.dmg` on apps I
| download that I trust to turn off this behaviour.
| dylan604 wrote:
| yeah, 'cause that's so much easier than just saying yes
| to the prompt, or right-clicking and selecting open from
| the context menu
| ben-schaaf wrote:
| > It might also be a push to get developers to publish on
| the App Store (where Apple can be more sure (hopefully)
| that the apps are safe).
|
| Apps on macOS need to be signed and notarised. Apple has
| the exact same capability to scan for malicious behaviour
| and revoke your keys regardless of how you publish. We
| all know the real reason they want to push apps towards
| the app store.
| zakki wrote:
| Microsoft was right.
| bigyabai wrote:
| Oh god, don't get me started...
|
| 1. iCloud nags never go away if you don't log into iCloud
|
| 2. Apple Music is just an advertisement by default and
| "conveniently" opens every sound file mimetype
|
| 3. Functionally useless subscription slopware like AppleTV+
| comes installed by-default for no reason
|
| 4. Package management is a colossal clusterfuck that can't
| even enforce package parity across system architectures
|
| 5. Apple _still_ doesn 't trust their users enough to have
| modern amenities like a native Vulkan runtime or Nvidia GPU
| drivers
|
| Vista was terrible, but it didn't suffer from this level of
| identity crisis.
| nmgycombinator wrote:
| I agree that it's weird that Apple TV comes pre-installed.
| The others I have less experience with so I can't really
| comment on them.
| tough wrote:
| you might like https://github.com/philocalyst/infat to
| change the mimetypes associations
| bigyabai wrote:
| I might prefer respectful default apps that delight the
| user and don't cost anything more than what I paid for at
| checkout.
|
| MacOS isn't for me, I guess.
| louthy wrote:
| Slight tangent: Apple TV constantly has MLS (major league
| soccer) and Apple TV+ in the left-side pop up Home menu,
| taking up real-estate for something I will never access. So
| annoying.
|
| Why, as someone from England -- with arguably the best
| football league in the world -- would I want to watch
| American Soccer? I don't even watch the English league.
|
| The menu is:
|
| --------------
|
| * Search
|
| * Home
|
| * Apple TV+
|
| * MLS
|
| * Store
|
| * Library
|
| --------------
|
| Title: Channels & Apps
|
| * _This is where all the channels I have actually opted for
| live -- separate from the Apple products that I don't want_
|
| --------------
|
| Both Apple TV+ and MLS should not be on that menu
| permanently. And it should be possible to turn them off.
| dylan604 wrote:
| > Why, as someone from England -- with arguably the best
| football league in the world -- would I want to watch
| American Soccer? I don't even watch the English league.
|
| So you're the type that doesn't watch the Special
| Olympics I take it? MLS is the geriatric retirement
| league for super star players, or the not quite good
| enough to play in the other leagues league. One season, I
| tried to get into MLS. At one point I tried using a stop
| watch to clock how much time the ball was out of play in
| MLS compared to "real" leagues, and it was close to 20%
| which is not far away from amateur kids level of play.
|
| I don't blame you for not liking the MLS branding.
| However, I'm guessing they paid a couple of shiny coins
| for that privilege, so they're naturally going to try to
| do anything to recoup that money
| louthy wrote:
| I don't watch football at all. If it's not cricket...
| _well it ain't cricket!_
|
| But even if it was a channel dedicated to test cricket
| (the greatest sport in the history of sport), I would
| still resent the foisting. These are clearly anti-
| competitive practices and that always leads to worse
| products eventually.
| viraptor wrote:
| > Apple Music is just an advertisement by default and
| "conveniently" opens every sound file mimetype
|
| Not only that, but you get the advertisement every time it
| starts and then it doesn't play the actual file. So unless
| you join the service the process is: try to open the audio
| file, close the advert, go back to source, open the file
| again.
| yieldcrv wrote:
| > Apple confirms that I will be credited
|
| congratulations on the credit
|
| and they also paid you $1,000,000 or whatever their top bug
| bounty payout is right?
| nmgycombinator wrote:
| No word from them on the payout, yet. They only start deciding
| on if and how much to pay after the patch. I know for a fact it
| doesn't fall under the $1,000,000 reward tier as that is for
| their Private Cloud Compute platform. But it may fall under
| some of their other categories.
| cypherpunks01 wrote:
| Just recently learned I should be installing mac apps into my
| home directory Applications, not the system Applications (as
| every single app installer suggests). Of course, only makes sense
| for a single-user machine.
|
| If I downgrade myself to a non-admin user, and install apps into
| my home Applications, then I'm not bothered by permissions
| requests from apps to update themselves. Almost all of them can
| just do it, on their own, with non-admin permissions. The only
| exceptions I've found are Tailscale and other stuff that needs
| higher level OS integration.
___________________________________________________________________
(page generated 2025-05-12 23:00 UTC)