Search

The media in this post is not displayed to visitors. To view it, please go to the original post.

📝🚨 New blog post: How a bug in Archive Utility allowed access to protected app data (including iMessage and WhatsApp chats, and Safari cookies) without any permissions.

The bug could also be exploited to hijack installed apps such as Signal and 1Password to perform phishing attacks.

Apple fixed the issue in macOS 26.4 as CVE-2026-28910, five months after we reported it

#Apple #macOS #privacy #security #cybersecurity #infosec

mysk.blog/2026/05/19/cve-2026-…

CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility

Until macOS 26.4, Archive Utility had nearly unrestricted filesystem access. Combined with a drag-and-drop sandbox quirk, this let an attacker bypass App Sandbox data containers, Transparency, Consent, and Control (TCC) protections, and hijack third-…

^{Mysk Blog – In-Depth Cybersecurity & Mobile App Privacy Research}

Items tagged with: macos

Mysk🇨🇦🇩🇪

1 week ago

Mysk🇨🇦🇩🇪
1 week ago

CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility

Search

Items tagged with: macos

Mysk🇨🇦🇩🇪 1 week ago

Mysk🇨🇦🇩🇪 1 week ago

CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility

Mysk🇨🇦🇩🇪

1 week ago

Mysk🇨🇦🇩🇪
1 week ago