macOS vulnerability: Total physical access opened when screen sharing is on

8 points by hgezim 2 years ago | 7 comments

I accidentally found this vulnerability that when you remote login into a Mac using Screen Sharing (included in all recent MacOS versions), someone with physical access can take over your session and lock you out of it and then have full, complete, total, absolute control over your machine.

Someone crafty can watch your screen and wait until you type in a sensitive password (like root or 1Password) and decide to take over at that point.

The best part? The person with physical presence can lock the remote user out (you): https://www.youtube.com/watch?v=wbLYKEQk_mM

I reported this to Apple more than 90 days ago. They said it was intended behaviour.

I cannot remote into my machines safely since I discovered this.

Without exaggeration, my wife one day messaged me and said, "your computer is moving," because she could see I was logged into my iMac at home from the office and using it.

Another day a colleague was working late at the office and I had logged into my office machine from home. He messaged me saying, "Did you leave your computer on on purpose?" He knows I always lock my computer because I give him heck for not locking his.

What did Apple Security Research recommend when they closed out the issue? They said I should use Apple Remote Desktop. That app is on the Mac App Store and averages 2.1/5. It retails for $99.99.

Maybe I'm off here. Did you expect someone next to your machine to see everything you do and be able to take control when you remote into it?

Someone 2 years ago |

> I accidentally found this vulnerability that when you remote login into a Mac using Screen Sharing

> Did you expect someone next to your machine to see everything you do

The “Sharing” part of “Screen Sharing” seems to imply that, doesn’t it?

> and be able to take control when you remote into it?

That’s more surprising. I think the main issue is that, if you start it remotely, the distinction between screen sharing and Remote Desktop isn’t obvious.

Edit: Apple’s support page (https://support.apple.com/en-gb/guide/mac-help/mh14066) only mentions initiating screen sharing from the computer whose screen is being shared, and is clear about the reverse:

“While your screen is being shared, the user of the other Mac sees what’s on your screen and can open, move and close files and windows, open apps, and even restart your Mac.“

sircastor 2 years ago |

I think the issue at hand here is that you’re using a piece of software intended for remote assistance/collaboration as a remote access tool. Specifically, you’re thinking of screen sharing as a way to access your own computer, where you’re the primary user from a remote location.

Screen sharing is meant to be used with someone at the computer, and another person remotely. And the person at the computer (presumably the person doing the “sharing”) is supposed to have lockout control.

codingpanic 2 years ago |

What you are looking for is "Curtain Mode."

Some VNC clients support this feature. ARD is one, Screens is another I'm familiar with.

Curtain mode keeps the remote system's display and keyboard locked and uncontrollable, and thus secured.

runjake 2 years ago |

As others have mentioned, this isn't a vulnerability, it's by design. It's in the name "Screen Sharing".

Screens has a "Curtain Mode", and is $29.99 (less with EDU pricing).

https://edovia.com/en/screens-mac/

josephcsible 2 years ago |

https://apple.stackexchange.com/q/181358/306120

KomoD 2 years ago |

I don't get what the issue is?

didntknowya 2 years ago |

it was kinda in the name