MacBook Pro’s Touch Bar hacked through Safari exploit

By

MacBook Pro Touch Bar hacked
MacBook Pro's Touch Bar isn't as secure as we thought.
Photo: Niklas Baumstark

Hackers have been able to gain unauthorized access to the MacBook Pro’s fancy new Touch Bar by taking advantage of a hole in Safari.

The duo demonstrated the exploit at the Pwn2Own security conference taking place in Vancouver, Canada this week and bagged $28,000 for their efforts.

The Touch Bar is powered by a dedicated T1 chipset and a custom version of watchOS. That T1 chip also manages the security of features like Touch ID and the MacBook Pro’s front-facing FaceTime camera. But it turns out it isn’t all that secure.

Using a number of logic bugs to exploit a vulnerability in Safari, Samuel Groß and Niklas Baumstark were able to gain access to the Touch Bar and display the custom message shown above, which reads, “pwned by niklasb and saelo.”

Although it was only considered a partial success, since the vulnerability has already been patched in more recent versions of macOS, the hack earned them a $28,000 reward and nine points in the Pwn2Own competition.

Another Safari vulnerability earned the Chaitin Security Research Lab a $35,000 reward and 11 points because it was seen as a full success. Other teams also attempted to breach Safari, Digital Trends reports, but were unable to do so within the allotted time.

Pwn2Own is giving away $1 million in prizes this year to those who are able to breach big platforms. Apple isn’t the only target; so far, others have successfully cracked the Linux kernel, Adobe Reader, and Microsoft’s new Edge browser for Windows 10.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.