TextEdit, the humble text editing app that's pre-installed on Macs, could have revealed your IP address to a hacker.
Paulos Yibelo found a bug that potentially allowed a hacker to trick a victim's Mac into revealing their IP address just by downloading a .txt file and opening it with TextEdit. The issue was that TextEdit automatically parsed and interpreted HTML code. To trigger this vulnerability, the hacker would have simply needed to insert some malicious HTML code into the text file to make TextEdit ping a remote server controlled by the hacker, as the researcher explained in a blog post.
Apple patched the bug last year, according to the company's security update notes. The company declined to comment.
"And that's basically gameover I believe!" Yibelo told me in an online chat, referring to the possibility of achieving Remote Code Execution, or RCE.
Yibelo said he was surprised to find out that TextEdit had features such as calling to other local files and folders on the hard disk, and even making a request to a remote server. And a hacker could take advantage of those features with some HTML code hidden in an innocent looking text file.
"Realizing the TXT file had colors and bold parts was really eerie," Yibelo said. "I knew immediately something would go wrong if I could inject *ANY* html."
A screenshot of a test Yibelo made to showcase the vulnerability. (Image: Paulos Yibelo)
Yibelos also realized that Apple's malware protection system Gatekeeper essentially treated all downloaded .txt files as safe.
"One of the first bugs I discovered using this showed me that Gatekeeper doesn’t quarantine TXT files even if they were downloaded from a suspicious website," Yibelo wrote in his blog. "For example, I found a TXT file force-downloaded from Tor browser, when opened can bypass Gatekeeper and leak the real IP address of the victim without any warning. This wasn’t very straightforward though."
Do you research vulnerabilities on Apple's products? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Nicholas Ptacek, a researcher who works for SecureMac, told Motherboard that he replicated and confirmed Yibelo's vulnerability on an older Mac.
"An exploit capable of sending arbitrary data to a third party through something as innocent looking as a text file is yeah...this shows the importance of sanitizing input, especially in text-parsing applications," Ptacek told Motherboard in an online chat. "MacOS is kind of a hodge podge of systems when it comes to determining a file type and how a given application should attempt to parse the content."
The good news is that, as long as you have an updated MacOS, you don't have to worry about this bug anymore. The bad news is that there may be more bugs in TextEdit. Yibelo said he found another one and he is in the process of finishing research on it and reporting it to Apple.
Subscribe to our cybersecurity podcast CYBER, here.