这次事件我觉得不是沙盒机制本身的问题,但是沙盒本身就有很多种绕过的方法:
- 配置 ennoscriptment(需要 MAS 审核,但是安全软件的话扫描文件看起来挺合理的)
- 应用通过弹出系统打开对话框并欺骗用户点击打开按钮来永久获得该文件夹及其子文件夹和文件的访问权限
- 一些其它辅助功能权限
这些东西 macOS 上没有明确的风险提醒(当然可能也做不了),所以其实很容易欺骗用户来完成这些操作
- 配置 ennoscriptment(需要 MAS 审核,但是安全软件的话扫描文件看起来挺合理的)
- 应用通过弹出系统打开对话框并欺骗用户点击打开按钮来永久获得该文件夹及其子文件夹和文件的访问权限
- 一些其它辅助功能权限
这些东西 macOS 上没有明确的风险提醒(当然可能也做不了),所以其实很容易欺骗用户来完成这些操作
Daring Fireball 的说法证实了我之前的猜测:
Contrary to some reports, Adware Doctor didn’t find some sort of hole in the sandbox that prevents apps downloaded from the Mac App Store from being able to access the entire file system. The app asked permission from the user, which is the only way Utilities like this can work.
Contrary to some reports, Adware Doctor didn’t find some sort of hole in the sandbox that prevents apps downloaded from the Mac App Store from being able to access the entire file system. The app asked permission from the user, which is the only way Utilities like this can work.
Forwarded from C'est la vie
This media is not supported in your browser
VIEW IN TELEGRAM
Forwarded from Staph. aureus | Producing exotoxin
This media is not supported in your browser
VIEW IN TELEGRAM
Mac Video 簡直有毒啊⋯⋯
💊烤苹果
https://9to5mac.com/2018/09/09/additional-mac-app-store-apps-caught-stealing-and-uploading-browser-history/
近期 MAS 上盗取用户隐私的程序不止一个了啊。请各位注意:
- 沙箱不是万能的
- 确认系统打开对话框相当于授予该应用程序永久的访问该文件夹及其所有子文件夹和子文件的权限
- 沙箱不是万能的
- 确认系统打开对话框相当于授予该应用程序永久的访问该文件夹及其所有子文件夹和子文件的权限