I’ve had a PoC for this technique for a little while as part of research for a future talk on the subject of post-exploitation in MacOS, but as an article has surfaced detailing the adware OSX.Pirrit’s use of this technique, I thought it appropriate to disclose this writeup. It should be noted that while this particular PoC targets only Google Chrome, the attack works against Safari as well. Mozilla Firefox is exempt from this specific attack as they do not expose a similar scripting definition to AppleScript.
Browser hijacks are hard, let’s go shopping
Sniffing credentials right out of form submissions, disregarding 2FA by leveraging a victim’s already active tab, redressing/overlay attacks and much more are possible with this technique, and all done with no specialized tools.
You probably don’t care about the how and just want a pre-packed PoC ready to be used for rickrolling your friends so here it is:
Minimized OSAScript oneliner
How the whut?
Put simply, AppleScript is boss and very few built-in scripting languages on other Operating Systems come close to the amount of power that given to end-users and developers. Intended primarily to be used for automation, AppleScript has the potential to open the door to a lot of fun for system administrators and hackers alike.
Applications with dedicated integrations with AppleScript contain an
.sdef file which outlines the _S_cripting _Def_initions available to AppleScript. Poking around a bit on my system I noticed that Chrome and Safari had .sdef files.
What’s it do?
While a primer on AppleScript is outside the scope of this post, a quick breakdown of the code is provided as comments in the provided code to aid the reader.
While I’m sad that I wasn’t the first one to weaponize this technique publicly I hope that this public release of a fairly harmless PoC will spark discussion around writing more creative payloads and help excite malware authors and security researchers to take more time to look at MacOS and develop more post-exploitation techniques.
I leave implementation of this PoC in Safari as an exercise for the reader.
RIP Trevor; another fun bug squashed in public.