I remember the I'm a Mac and I'm a PC ads that mocked this on Vista. And now my Mac is worse than Vista. It's so annoying.
nmgycombinator · 41m ago
Out of curiosity, what do you find annoying about it?
muppetman · 37m ago
Every time I update an app I have to be told I downloaded it from the Internet and do I trust it. Can this app look on the local network?
Constantly being nagged to the point I don't even check/care anymore.
Exactly what Vista used to do.
nmgycombinator · 32m ago
The local network popup thing is too overdone in my opinion. However, I do think it is a good choice (in some respects) for Apple to have the "this is a program downloaded from the Internet", even if it can be annoying. It might also be a push to get developers to publish on the App Store (where Apple can be more sure (hopefully) that the apps are safe).
It's a double-edged sword in my opinion. I think it's good that the OS is looking out for the user in a lot of cases. I also understand how it can give the users pop-up fatigue.
ben-schaaf · 15m ago
> It might also be a push to get developers to publish on the App Store (where Apple can be more sure (hopefully) that the apps are safe).
Apps on macOS need to be signed and notarised. Apple has the exact same capability to scan for malicious behaviour and revoke your keys regardless of how you publish. We all know the real reason they want to push apps towards the app store.
zakki · 1m ago
Microsoft was right.
trollbridge · 27m ago
I simply run `xattr -d downloaded-app.dmg` on apps I download that I trust to turn off this behaviour.
dylan604 · 23m ago
yeah, 'cause that's so much easier than just saying yes to the prompt, or right-clicking and selecting open from the context menu
bigyabai · 28m ago
> It might also be a push to get developers to publish on the App Store (where Apple can be more sure (hopefully) that the apps are safe).
This is exploitation of developers, plain and simple. Apple should secure their runtime, not roleplay as a software rent-a-cop that manually (and fallibly) inspects submissions. The App Store is a blatant moneymaking racket, on mobile and desktop alike. "Security" is a fig leaf for the perverse incentive Apple has to corral developers under their thumb.
nmgycombinator · 26m ago
Honestly, I think you have a fair point there. I personally don't believe that any system could be 100% secure. But I do think there is a point to be made on the efficacy of securing the runtime compared to individual app inspection.
charcircuit · 19m ago
Apple does both. They secure the runtime and review apps.
bigyabai · 14m ago
And to NSO Group's delight, they don't review SMS messages or Safari contents either. The "curated security" shtick is a lie, it does not protect anyone and doesn't function reliably in the first place. Both targeted malware and generic scams are rampant and unrestrained on iOS. Many of them are promoted as iPhone Search Ads, or suggested Siri results.
The knock-on effects it has are even worse. By relying on this game of shuffling private entitlements around, Apple has less incentive to actually review what developers are doing with them. Look at the Uber iPhone app's screenrecord permissions, or when TikTok stole iOS clipboards.
Apple uses "secure" review as an excuse to not review apps or secure their runtime.
charcircuit · 2m ago
But they do secure their runtime. It's not an excuse not to.
bigyabai · 35m ago
Oh god, don't get me started...
1. iCloud nags never go away if you don't log into iCloud
2. Apple Music is just an advertisement by default and "conveniently" opens every sound file mimetype
3. Functionally useless subscription slopware like AppleTV+ comes installed by-default for no reason
4. Package management is a colossal clusterfuck that can't even enforce package parity across system architectures
5. Apple still doesn't trust their users enough to have modern amenities like a native Vulkan runtime or Nvidia GPU drivers
Vista was terrible, but it didn't suffer from this level of identity crisis.
viraptor · 6m ago
> Apple Music is just an advertisement by default and "conveniently" opens every sound file mimetype
Not only that, but you get the advertisement every time it starts and then it doesn't play the actual file. So unless you join the service the process is: try to open the audio file, close the advert, go back to source, open the file again.
louthy · 25m ago
Slight tangent: Apple TV constantly has MLS (major league soccer) and Apple TV+ in the left-side pop up Home menu, taking up real-estate for something I will never access. So annoying.
Why, as someone from England — with arguably the best football league in the world — would I want to watch American Soccer? I don’t even watch the English league.
The menu is:
———————
* Search
* Home
* Apple TV+
* MLS
* Store
* Library
———————
Title: Channels & Apps
* This is where all the channels I have actually opted for live — separate from the Apple products that I don’t want
———————
Both Apple TV+ and MLS should not be on that menu permanently. And it should be possible to turn them off.
dylan604 · 19m ago
> Why, as someone from England — with arguably the best football league in the world — would I want to watch American Soccer? I don’t even watch the English league.
So you're the type that doesn't watch the Special Olympics I take it? MLS is the geriatric retirement league for super star players, or the not quite good enough to play in the other leagues league. One season, I tried to get into MLS. At one point I tried using a stop watch to clock how much time the ball was out of play in MLS compared to "real" leagues, and it was close to 20% which is not far away from amateur kids level of play.
I don't blame you for not liking the MLS branding. However, I'm guessing they paid a couple of shiny coins for that privilege, so they're naturally going to try to do anything to recoup that money
louthy · 17m ago
I don’t watch football at all. If it’s not cricket… well it ain’t cricket!
But even if it was a channel dedicated to test cricket (the greatest sport in the history of sport), I would still resent the foisting. These are clearly anti-competitive practices and that always leads to worse products eventually.
nmgycombinator · 31m ago
I agree that it's weird that Apple TV comes pre-installed. The others I have less experience with so I can't really comment on them.
I might prefer respectful default apps that delight the user and don't cost anything more than what I paid for at checkout.
MacOS isn't for me, I guess.
cypherpunks01 · 12m ago
Just recently learned I should be installing mac apps into my home directory Applications, not the system Applications (as every single app installer suggests). Of course, only makes sense for a single-user machine.
If I downgrade myself to a non-admin user, and install apps into my home Applications, then I'm not bothered by permissions requests from apps to update themselves. Almost all of them can just do it, on their own, with non-admin permissions. The only exceptions I've found are Tailscale and other stuff that needs higher level OS integration.
sefrost · 3h ago
My work Mac regularly pops up an alert box claiming that Slack is “trying to install a new helper tool”. I have no idea why or what it means. I asked IT how I could verify it was legit and they didn’t know.
I often wonder if this could also be exploited because it asks for a password and it keeps popping back up every time I click cancel.
dcrazy · 2h ago
This dialog comes from the System Management framework [1]. Slack is probably installing a privileged helper tool (conceptually similar to a setuid root binary) so that it can update itself regardless of where it is installed or which user originally installed it.
Seems like it should only need to do this once. I get this with almost every Slack and VSCode update. The correct solution for me is to quit Slack.app and let my company's management software do the update for me.
trollbridge · 26m ago
Chances are they have some kind of management software like SentinelOne that is preventing Slack from doing this (or storing the permission to do so), so it just asks over and over. Which is arguably worse.
socalgal2 · 38m ago
I don't use slack except in the browser. I never get a prompt for VSCode. It must be one of your extensions.
closeparen · 2h ago
Maybe it's smart enough to require re-authorization when the binary changes?
ubercow13 · 2h ago
Why would the helper binary change that much? A setuid-ish binary should be ultra simple and not constantly changing I'd assume.
QuercusMax · 2h ago
...and it should be able to replace itself.
e40 · 2h ago
I installed Slack from the app store and never see this popup.
accrual · 2h ago
Discord does this as well I believe. I often needed to enter the administrator password to install a helper after the system had been off for a couple days.
nartho · 1h ago
Discord, Slack and VS Code desktop apps are all built using Electron, so I'm guessing this is an Electron issue.
jonplackett · 1h ago
And they are sooooo insistent. Just keep bugging you forever
nmgycombinator · 2h ago
A software updater was going to be my best guess at what this was. I guess I understand the flexibility it brings, but it definitely does have some security trade-offs.
haiku2077 · 2h ago
I get this popup all the time.
It contains no information that I can reasonably use to match a decision on whether or not to allow it, so I always click cancel on it.
nmgycombinator · 3h ago
I'm not aware of the "helper tool" popup, but I would definitely be skeptical of it. Even if it is Slack, Slack is just a messaging application. I don't know what legitimate need it would have for a helper tool. I would ask Slack support, though (and hopefully you can get a real answer and explanation).
makeitdouble · 22m ago
> Slack is just a messaging application.
I kinda like this angle. While Slack makes an effort to work basically everywhere with low effort, I wonder what would follow if it wasn't the case.
For instance if for some stupid legal reason Slack was banned from macos, how many people would just switch to another OS ? I'd bet it would be a non trivial amount of users at this point.
dylan604 · 16m ago
or you know, just use the web app
makeitdouble · 8m ago
If it was a legal ban I'd assume Apple would go pretty far to make it happen, app or not.
1oooqooq · 2h ago
> Slack is just a messaging application
its sold more as a way to store and all conversations than the ability to be a messaging application.
the original pitch was to make all information, even private conversation of previous employees, searchable.
frollogaston · 2h ago
It doesn't need special permissions on your Mac to do that.
nmgycombinator · 2h ago
Damn. That sounds pretty dystopian. But typical for American corporate life.
frollogaston · 2h ago
I don't really expect my 1:1 conversations on the company chat to be invisible to the company.
trollbridge · 24m ago
In environments like this, my trusted colleagues and I communicated using Signal (and before that, WhatsApp).
One somewhat paranoid department that was convinced they were being spied on (they weren’t; I saw the Slack admin dashboard and management was too cheap to pay for the retention and spying features) maintained the use of an ancient Jabber based group chat for their own internal communications.
nmgycombinator · 2h ago
I don't either. But it's still a bit creepy regardless.
cyberax · 1h ago
Why? Companies already have to retain the data (in case of lawsuits, etc.).
Slack is also used because it allows to create persistent channels that are searchable. So they often end up being a knowledge base for the company.
nmgycombinator · 1h ago
I guess that's a fair point. It cuts both ways, but given that so many people use Slack as opposed to talking, the exact words people used and when are could be open to view. Whereas, before all of this, you may only just have the minutes of any official meetings. Any side chatter not in the meeting room and/or exact phrasings would be lost to time.
kccqzy · 2h ago
That does sound like it could be exploited, but with only as much exploitability as some random app that requires your password (for analogy consider a Linux binary that refuses to run unless being run as root). Ultimately it's a matter of deciding whether you trust the developer of the app and whether you trust this app is really from that developer. The day Apple prevents users from giving root access to a third-app app is when the Mac fully becomes a walled garden, and you can expect pages of HN complaints.
Overall I think it's good paranoia to not grant root permissions to apps that do not clearly need them such as Slack.
nmgycombinator · 1h ago
> The day Apple prevents users from giving sudo access to a third-app app is when the Mac fully becomes a walled garden, and you can expect pages of HN complaints.
I can see this happening, but it probably won't anytime soon. macOS is still open enough, and with the assumption that sometimes processes need root (see third-party Launch Daemons).
It would probably break quite a lot. But I wouldn't be surprised if they eventually gradually move macOS in that direction.
aziaziazi · 1h ago
Being paranoid, would it be possible that another app already installed (but not trusted enough to give privilege, let’s say a shady mouse driver or screenshot app) detect when slack (more trustfully) does launch to open a dialog at that precise time and deceive the user? Let’s say the shady app is named « SIack » or something close enough to be missed - but brand itself as innocents « screenshotPro4000 » in the app itself graphics so you’re not suspicious.
floatrock · 38m ago
Not an os-x developer, but I've always wondered are there any OS guardrails against any (malicious) application showing a window styled the same way as that popup box and just stealing your password?
jq-r · 1h ago
And it so annoying because it steals focus so as you're writting a message it suddenly stops taking your input and "helpfully" continues typing your text into the password box.
jonplackett · 1h ago
These types of ‘security’ blockers are so dumb because they train people to act dumb. Even if they’re real, the next time they may not be.
It’s like how my bank often calls and wants me to give them my personal info for ‘data protection’ before we can speak. These are legit bank calls, training people to give out personal info to strangers.
hbn · 1h ago
As of the latest macOS update, every app is now asking every few days if it can have access to devices on your local network, or something to that tune. My theory right now is it's something in chromium that automatically asking for this and Electron apps will do this out of the box, but I can't remember which apps exactly have been doing this.
Regardless, yes it causes the exact issue you're talking about. I don't even read what the popups say anymore, I'm just blindly hitting an accept button.
jonplackett · 1h ago
I’m surprised Apple have let this happen.
When you make an iOS app and requested permission for something - photo library or location etc. you MUST write out a sentence of what you’ll use it for which is shown to the user.
Why not the same for Mac apps?
reaperducer · 38m ago
Why not the same for Mac apps?
How would Apple enforce that?
iOS apps go through the App Store, so proper behavior can be enforced.
The apps people are complaining about here are downloaded from the vendor. Apple is not involved.
beezlewax · 1h ago
This is chrome for sure. There a bunch of threads if you search the actual error message you'll get hits on stackoverflow and in apple forums
codebje · 1h ago
If someone cold calls me and asks me to verify myself, I refuse.
If it’s an expected call or they give me a good reason to, I’ll call their listed contact number back.
So far I have not missed out on anything of consequence by refusing to identify myself to someone who initiated contact with me.
jonplackett · 1h ago
I likewise refuse the bank’s call and they’re always really confused why I’d do such a thing - so clearly they have successfully trained all their other customers to be morons - and then they will no doubt blame them when they get conned.
1shooner · 2h ago
I get this from every Electron-based app that I have run as multiple OS users.
yieldcrv · 31m ago
> Apple confirms that I will be credited
congratulations on the credit
and they also paid you $1,000,000 or whatever their top bug bounty payout is right?
nmgycombinator · 24m ago
No word from them on the payout, yet. They only start deciding on if and how much to pay after the patch. I know for a fact it doesn't fall under the $1,000,000 reward tier as that is for their Private Cloud Compute platform. But it may fall under some of their other categories.
silvestrov · 1h ago
It took Apple a full year to release the fix. That is a very long time.
2024-05-04 I leave several additional update messages as I continue testing my PoC
2025-05-12 The patch is released
nmgycombinator · 1h ago
Yeah. I'm guessing there must be some legitimate (internal?) use cases for the behavior I found and they spent all that time working out the kinks to allow those edge cases while also not allowing malicious ones. Or perhaps it wasn't as high on their priority list as it required a higher level of user interaction (the user had to click "Allow"). In any case, though, I do believe that a year is a shockingly long time for them to take.
commandersaki · 2h ago
Love this guy's research, such good presentation!
nmgycombinator · 2h ago
Thank you very much! Although I'm not a guy, just fyi! I'm just a person :)
zoomTo125 · 1h ago
Almost a year to release a patch. If Apple takes that long, there is no hope for other vendors.
nmgycombinator · 1h ago
This is Apple-specific, though. So there aren't really any other vendors that are relevant to this specific scenario. I will say, they have been quicker with my other reports; taking just a few months as opposed to a full year.
e40 · 2h ago
> The patch is released
I assume that is with 15.5...
nmgycombinator · 2h ago
> which was patched in today's releases of macOS Sequoia 15.5 et al.
Correct.
JohnFen · 2h ago
Honestly, I don't really trust any permissions popups on anything anymore. They are often porous enough to count as "security theater".
coolcase · 43m ago
And at $Corp I get constant popups to enter my password or confirm an action. Like 50-100 a day.
nmgycombinator · 41m ago
I bet threat actors are just salivating at the thought of giving you a fake password prompt.
nmgycombinator · 2h ago
I honestly think this is a good skepticism to have. I generally don't hit "Accept" (or "Allow" or whatever) on any permission pop-up unless I know exactly what it's doing and what I need it for.
EGreg · 1h ago
I once sent an email to Steve Jobs back in 2009 or so
I told him that the MacOS permissions dialog could easily be spoofed, and that Macs should have a secret phrase or icon that you choose that they’d display inside these dialogs, and prevent their screen capture like what they had been doing with their recent DRM features.
Never heard back from him
And it never got implemented. Any program can still continue to spoof it and grab your system password.
nmgycombinator · 1h ago
I mean, at that point and app could just put up a fake prompt using the UI framework. And I think users would be more hesitant to type a full password than just click a button. But if you're talking about a bug similar to mine where an attacker could use the OS's own code against it and make it show a prompt with misleading content, you might be able to report it to Apple Product Security and maybe get a bounty.
sureglymop · 15m ago
I wonder why they don't add a little led to their laptops that would indicate that it really is the system asking for your password. Kind of like the camera led.
trollbridge · 22m ago
I mean, a website could display a crafty popup-appearing box and try to get you to type in your username and password. Not really sure how you can prevent that.
Vista used the “the background dims quite a bit” to try to deal with that.
nmgycombinator · 15m ago
Yeah. I think the key thing in my vulnerability is that it abused a legitimate OS prompt and had the consequences of that prompt be applied to something separate from what the prompt text itself said it would.
EGreg · 12m ago
I just told you how… it would show your special icon or phrase inside so you’d confirm it before you typed anything.
The phrase would be managed through a system screen, like a login screen
It's a double-edged sword in my opinion. I think it's good that the OS is looking out for the user in a lot of cases. I also understand how it can give the users pop-up fatigue.
Apps on macOS need to be signed and notarised. Apple has the exact same capability to scan for malicious behaviour and revoke your keys regardless of how you publish. We all know the real reason they want to push apps towards the app store.
This is exploitation of developers, plain and simple. Apple should secure their runtime, not roleplay as a software rent-a-cop that manually (and fallibly) inspects submissions. The App Store is a blatant moneymaking racket, on mobile and desktop alike. "Security" is a fig leaf for the perverse incentive Apple has to corral developers under their thumb.
The knock-on effects it has are even worse. By relying on this game of shuffling private entitlements around, Apple has less incentive to actually review what developers are doing with them. Look at the Uber iPhone app's screenrecord permissions, or when TikTok stole iOS clipboards.
Apple uses "secure" review as an excuse to not review apps or secure their runtime.
1. iCloud nags never go away if you don't log into iCloud
2. Apple Music is just an advertisement by default and "conveniently" opens every sound file mimetype
3. Functionally useless subscription slopware like AppleTV+ comes installed by-default for no reason
4. Package management is a colossal clusterfuck that can't even enforce package parity across system architectures
5. Apple still doesn't trust their users enough to have modern amenities like a native Vulkan runtime or Nvidia GPU drivers
Vista was terrible, but it didn't suffer from this level of identity crisis.
Not only that, but you get the advertisement every time it starts and then it doesn't play the actual file. So unless you join the service the process is: try to open the audio file, close the advert, go back to source, open the file again.
Why, as someone from England — with arguably the best football league in the world — would I want to watch American Soccer? I don’t even watch the English league.
The menu is:
———————
* Search
* Home
* Apple TV+
* MLS
* Store
* Library
———————
Title: Channels & Apps
* This is where all the channels I have actually opted for live — separate from the Apple products that I don’t want
———————
Both Apple TV+ and MLS should not be on that menu permanently. And it should be possible to turn them off.
So you're the type that doesn't watch the Special Olympics I take it? MLS is the geriatric retirement league for super star players, or the not quite good enough to play in the other leagues league. One season, I tried to get into MLS. At one point I tried using a stop watch to clock how much time the ball was out of play in MLS compared to "real" leagues, and it was close to 20% which is not far away from amateur kids level of play.
I don't blame you for not liking the MLS branding. However, I'm guessing they paid a couple of shiny coins for that privilege, so they're naturally going to try to do anything to recoup that money
But even if it was a channel dedicated to test cricket (the greatest sport in the history of sport), I would still resent the foisting. These are clearly anti-competitive practices and that always leads to worse products eventually.
MacOS isn't for me, I guess.
If I downgrade myself to a non-admin user, and install apps into my home Applications, then I'm not bothered by permissions requests from apps to update themselves. Almost all of them can just do it, on their own, with non-admin permissions. The only exceptions I've found are Tailscale and other stuff that needs higher level OS integration.
I often wonder if this could also be exploited because it asks for a password and it keeps popping back up every time I click cancel.
[1]: https://developer.apple.com/documentation/servicemanagement/...
It contains no information that I can reasonably use to match a decision on whether or not to allow it, so I always click cancel on it.
I kinda like this angle. While Slack makes an effort to work basically everywhere with low effort, I wonder what would follow if it wasn't the case.
For instance if for some stupid legal reason Slack was banned from macos, how many people would just switch to another OS ? I'd bet it would be a non trivial amount of users at this point.
its sold more as a way to store and all conversations than the ability to be a messaging application.
the original pitch was to make all information, even private conversation of previous employees, searchable.
One somewhat paranoid department that was convinced they were being spied on (they weren’t; I saw the Slack admin dashboard and management was too cheap to pay for the retention and spying features) maintained the use of an ancient Jabber based group chat for their own internal communications.
Slack is also used because it allows to create persistent channels that are searchable. So they often end up being a knowledge base for the company.
Overall I think it's good paranoia to not grant root permissions to apps that do not clearly need them such as Slack.
I can see this happening, but it probably won't anytime soon. macOS is still open enough, and with the assumption that sometimes processes need root (see third-party Launch Daemons).
It would probably break quite a lot. But I wouldn't be surprised if they eventually gradually move macOS in that direction.
It’s like how my bank often calls and wants me to give them my personal info for ‘data protection’ before we can speak. These are legit bank calls, training people to give out personal info to strangers.
Regardless, yes it causes the exact issue you're talking about. I don't even read what the popups say anymore, I'm just blindly hitting an accept button.
When you make an iOS app and requested permission for something - photo library or location etc. you MUST write out a sentence of what you’ll use it for which is shown to the user.
Why not the same for Mac apps?
How would Apple enforce that?
iOS apps go through the App Store, so proper behavior can be enforced.
The apps people are complaining about here are downloaded from the vendor. Apple is not involved.
If it’s an expected call or they give me a good reason to, I’ll call their listed contact number back.
So far I have not missed out on anything of consequence by refusing to identify myself to someone who initiated contact with me.
congratulations on the credit
and they also paid you $1,000,000 or whatever their top bug bounty payout is right?
2024-05-04 I leave several additional update messages as I continue testing my PoC
2025-05-12 The patch is released
I assume that is with 15.5...
Correct.
I told him that the MacOS permissions dialog could easily be spoofed, and that Macs should have a secret phrase or icon that you choose that they’d display inside these dialogs, and prevent their screen capture like what they had been doing with their recent DRM features.
Never heard back from him
And it never got implemented. Any program can still continue to spoof it and grab your system password.
Vista used the “the background dims quite a bit” to try to deal with that.
The phrase would be managed through a system screen, like a login screen