MacOS sometimes leaks traffic after system updates

(mullvad.net)

400 points dulvui | 4 comments | 16 Oct 24 08:37 UTC | HN request time: 0s | source

Show context

mgoetzke ◴[16 Oct 24 09:44 UTC] No.41857244[source]▶

it also leaks the audio of tabs before logging in.

Even though I had disabled all 'restore' applications features, macos sometimes decides to 'start' browsers BEFORE logging in after a restart AND those start auto-playing audio from whatever was paused before the reboot (or many days before).

Since then I went rather deep disabling that feature, but I never trusted it.

replies(7): >>41857258 #>>41857358 #>>41857362 #>>41857411 #>>41857615 #>>41857667 #>>41857946 #

1. cryptoz ◴[16 Oct 24 10:15 UTC] No.41857411[source]▶

>>41857244 #

How is this possible? I wouldn’t have thought that it could open your applications without you logging in? How does it know who you are? How does it know which applications to open? If you’re not logged in yet, is is just logging in for you automatically but not showing you?

Seems like a huge security bug. This isn’t being exploited? Wild stuff.

Reminds me of when you could hear a FaceTime call coming through but if you chose not to answer it, no worries! Your iPhone will turn on your camera anyway! And send your video to the calling party!

replies(1): >>41857777 #

2. delfinom ◴[16 Oct 24 11:13 UTC] No.41857777[source]▶

>>41857411 (TP) #

Vast majority of all laptop and even phone usage is single user. They could literally be doing

if macbook_has_only_one_account():

preloadapps()

replies(1): >>41862800 #

3. cryptoz ◴[16 Oct 24 19:20 UTC] No.41862800[source]▶

>>41857777 #

But how? - surely they don't store the passwords in plain text locally? Does the OS have a function to log in a user while bypassing their credentials? I would have assumed that it is impossible for the OS to preloadapps() when it doesn't have access to the user's apps in the first place.

But apparently it does! shrug

So why tell the user that they need to log in first? If they are the only user account on the system and the OS can access the user's files and apps without logging in, why have the user event set a password in the first place? It seems like a fake login, a false sense of security. And a massive security issue. If the user can just open the lid and that means that code is now running under their own account but they have not authorized a log in, that's just dangerous.

replies(1): >>41869754 #

4. delfinom ◴[17 Oct 24 13:59 UTC] No.41869754{3}[source]▶

>>41862800 #

The OS at its core doesn't care about credentials. As long as there is a root process, which there is for init. It can simply execute a process as another user id.

With how modern macbooks and many other laptops work nowadays, you are rarely fully turning off the device and simply hibernating it constantly which keeps everything loaded in memory.

I don't deny there are security implications. But it's an Apple design choice. lol

↑