Apple Inc. today released macOS 10.14 Mojave to the general public, but in a bad sign for the company, it has a major security vulnerability.

Mojave was announced in June 4 with a beta release being made available later that month. Finder and Quick Look have been upgraded with support added to the sidebar for full metadata for images, multimedia, documents and files, while Quicklook now integrates editor software Markup to recognize numerous types of media.

Most of the changes were under the hood, but a new native “dark mode” allows users to change the look and feel of the entire user interface to darken the display and, as it unexpectedly turns out, allow hackers to break into the macOS install.

Detailed by security researcher Patrick Wardle, a severe security flaw introduced in the dark theme allows unauthorized access to a users’ private data. Speaking to Bleeping Computer, Wardle explained that the vulnerability, which can be exploited by an unverified app, stems from the way Apple has implemented protections for privacy-related data.

Although not going into great detail about the technical aspects, a video shows Wardle attempting to access a user’s protected address book without success. Then he runs a bypass program, dubbed fittingly “breakMojave,” wherein Wardle locates a user’s address book, circumvents the privacy access controls and copies its contents to his desktop.

Wardle added that the bypass does not work with all of Mojave’s new privacy protection features and that hardware-based components such as the built-in webcam are unaffected.

Apple has not commented on the report, although Wardle said he attempted to reach out to the company before going public. Presumably, the vulnerability also existed in the beta versions of Mojave prior to its official release.

It’s not a good look for Apple given that it has long boasted that its software is more secure than that of Microsoft Windows.

Wardle said he will release more details about the vulnerability at a conference in November.

Image: Apple