Post · bonfire.cafe

🏜️🎁 We accidentally found a security flaw in macOS Tahoe and earlier

An attacker can trick a user into performing a simple yet common action that breaks the sandbox protection of any file (e.g iMessage database and Safari browsing data) giving any application permanent access to the target file

Of course, we’re still investigating and won’t reveal the details until we report it to Apple. Though it shocked us that such a simple action can have such an effect on the sandbox.

RE: https://mastodon.social/@mysk/115283952511882565

To demonstrate this vulnerability, we picked:
iMessage
Safari
Signal
1Password
Figma

We recorded nice videos that we can't wait to publish once Apple gives us the go-ahead.

‼️NOTE: This is a macOS bug and has nothing to do with the apps we picked.

Make sure you follow our YouTube channel. The demos are best viewed on a desktop screen.

#privacy #infoSec

Mysk🇨🇦🇩🇪

@mysk@mastodon.social replied · 5 days ago

We apologize to our @psylo users for delaying a few features due to the work on this critical macOS bug. We're back 💪

To support our research, consider downloading Psylo, our private browser for iOS:

https://apps.apple.com/app/id6741358035

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0 no JS en

Automatic federation enabled