mjtsai + patrickwardle   29

Twitter
Is is just me, are all available 10.15.* KDKs only for (random?) beta builds of macOS? 😭

i.e.
10.15.1 b1: 19B68f
10.15.2 b2: 19C39d

....and Apple also forgot to spell kernel!?

(Also, how does one install an Apple provided dev/debug kernel, on a read-only file-system? 🤔) pic.twitter.com/SchsHXBnCw

— patrick wardle (@patrickwardle) February 7, 2020
FavoriteTweet  patrickwardle 
8 weeks ago by mjtsai
Twitter
Issue: Catalina's "privacy-protections" can break legit apps (e.g. VMWare screen recording) 😢

Fix: "Inject a dylib that invokes an API requiring Screen Recording Permission & thus triggering the permission modal in the context of VMware Fusion" 🤣😇🙌https://t.co/gdnO2bp2aR https://t.co/fpiQrTSnWC

— patrick wardle (@patrickwardle) February 3, 2020
FavoriteTweet  patrickwardle 
8 weeks ago by mjtsai
Twitter
The only way we were able to reverse & analyze ToTok (that UAE govt. spy app that Apple approved to be in iOS App Store), was via a jailbreak (checkra1n): https://t.co/Nl36JGCd7h

Rather unfortunate (though not surprising) to see Apple take this approach towards jailbreaking 😤🍎 https://t.co/2huaig3zQs

— patrick wardle (@patrickwardle) December 28, 2019
FavoriteTweet  patrickwardle 
december 2019 by mjtsai
Twitter
My external monitor is either:
a) attempting (& failing) to throw an exploit
or
b) the well-known macOS bug of "let's kernel panic when going to sleep connected to an external monitor" is stilllllll not fixed" (Catalina 10.15.1) 😭

(triggers on multiple MacBook)@AppleSupport pic.twitter.com/G5fuyQ2GD6

— patrick wardle (@patrickwardle) October 31, 2019
FavoriteTweet  patrickwardle 
november 2019 by mjtsai
Twitter
Apple's "User-Approved Kext" loading, is a pain for 3rd-party developers, but aims to thwart exactly this type of (real) attack: https://t.co/DegOreVcW7 pic.twitter.com/DwdyDaLXr6

— patrick wardle (@patrickwardle) August 13, 2019
FavoriteTweet  patrickwardle 
august 2019 by mjtsai
Twitter
Zoom: Let's allow remote access to your mic/cam
🛡️ OverSight: Fine, but we'll detect & alert

Apple: Let's silently remove Zoom
🛡️ BlockBlock: Fine, but we'll detect & alert

Free from: https://t.co/CcPeNYpmAh 🥳🤩

Love them? Support us on @Patreon: https://t.co/G6GgqjzneT 🙏🥰 pic.twitter.com/ciivDSP17l

— patrick wardle (@patrickwardle) July 12, 2019
FavoriteTweet  patrickwardle 
july 2019 by mjtsai
Twitter
Remember when Apple posted on their website that "It [Mac] doesn't get PC viruses?" 🤔

Of course that was never true, but it's somewhat ironic that they are now (silently) releasing signatures for macOS's built-in "AV" tool (XProtect) to detect "PC viruses" infecting macOS 🤣😂 https://t.co/jmVzV0ilaL

— patrick wardle (@patrickwardle) April 19, 2019
FavoriteTweet  patrickwardle 
april 2019 by mjtsai
Twitter
Got to play with @LinusHenze's 'KeySteal'. It's a lovely bug & exploit 😍😍

✅ works on macOS 10.14.3
✅ his payload dumps passwords, private keys, & tokens

Protect yourself by:
🔐manually locking your keychain
🔐or setting a keychain-specific passwordhttps://t.co/K1hhjraH60

— patrick wardle (@patrickwardle) February 6, 2019
FavoriteTweet  patrickwardle 
february 2019 by mjtsai
Twitter
^^this 💯
I have no idea how to check if my iPhone is hacked 😰

Nation States actually ♥️ hacking iPhones - largely because once they're in (and yes, they can get in even remotely), the chance of detection is essential 0%🤭

— patrick wardle (@patrickwardle) November 27, 2018
FavoriteTweet  patrickwardle 
november 2018 by mjtsai
Twitter
ok, we have a winner (thanks to @joshuahstein! 🙏)

//access private iVar, that's really truly an Int
// Swift always assumes `perform` returns an object :(
if let foo = bar.perform(Selector(("baz")))?.toOpaque() {
let qux: Int = Int(bitPattern: foo)
print(qux)

— patrick wardle (@patrickwardle) November 18, 2018
FavoriteTweet  patrickwardle 
november 2018 by mjtsai
Twitter
Swift Question 🤔To access a 'private' iVar of a system object (type int):Obj-C:int foo = (int)[bar performSelector:NSSelectorFromString(@"baz") withObject:nil];Swift:var foo = bar.perform(Selector("baz"))'foo' type set to "Unmanaged
— patrick wardle (@patrickwardle) November 18, 2018
FavoriteTweet  patrickwardle 
november 2018 by mjtsai
Twitter
Mojave's 'dark mode' is gorgeous 🙌
...but its promises about improved privacy protections? kinda #FakeNews 😥

0day bypass:https://t.co/rRf8t7C7Zf

btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏

— patrick wardle (@patrickwardle) September 24, 2018
FavoriteTweet  patrickwardle 
september 2018 by mjtsai
Twitter
Q: Who is impacted more by Apple's additional "security" & "privacy" enhancements? 3rd-party devs or (real) attackers/malware authors/exploit devs? 🤔

A: 3rd-party devs 💯

ex: User Assisted Kext Loading (trivial to bypass), App Store Guidlines (trivial to bypass), etc. etc. https://t.co/w2fWWEwvYd

— patrick wardle (@patrickwardle) September 10, 2018
FavoriteTweet  patrickwardle 
september 2018 by mjtsai
Twitter
Fake reviews are also a well known issue in the official Apple Mac App Store 😥

Such reviews cause lots of shady apps to be highly ranked and thus downloaded by many unsuspecting Mac users 😥😥 https://t.co/kp6l0bUVCP

— patrick wardle (@patrickwardle) September 9, 2018
FavoriteTweet  patrickwardle 
september 2018 by mjtsai
Twitter
💯!! IMHO, the majority of Apple's macOS "security mechanisms" are 1% about security and 99% about control 😠😢

"User Assisted Kext Loading" being a perfect example. Real attackers who want ring-0 access are never going to load a kext -they'll just use a macOS kernel bug 😬 https://t.co/BswvZHzsqF

— patrick wardle (@patrickwardle) August 28, 2018
FavoriteTweet  patrickwardle 
august 2018 by mjtsai
Twitter
From my @DefCon talk:
Apple's "User Assisted Kext Loading" is huge PITA for 3rd-party devs/breaks apps...but hackers can bypass trivially 😭

//0day bypass
// 2x 🐭⬇️ on 'Allow' btn
CGPostMouseEvent(point, true, 1, down);
CGPostMouseEvent(point, true, 1, down);

...blog soon📝 pic.twitter.com/PZESutEsaO

— patrick wardle (@patrickwardle) August 13, 2018
FavoriteTweet  patrickwardle 
august 2018 by mjtsai
patrick wardle on Twitter: "What's in your Mac ('notification database')? 🍎🙈 Wrote a simple (self-contained) python script 🐍 It locates the database, then parse & dumps all records (slack, imsg, signal, etc, etc,) : https://t.co/ypYzDmAnPT ...giv
What's in your Mac ('notification database')? 🍎🙈 Wrote a simple (self-contained) python script 🐍 It locates the database, then parse & dumps all records (slack, imsg, signal, etc, etc,) : https://t.co/ypYzDmAnPT ...give it a run 😅 pic.twitter.com/EdYV37pHDc

— patrick wardle (@patrickwardle) May 10, 2018
FavoriteTweet  patrickwardle 
may 2018 by mjtsai
patrick wardle on Twitter: "Did you know you can find bugs in macOS, such as in Apple's "Security" framework ...by simply opening the project!?🍎🤮 I'm not even kidding 😭😭😭 Using uninitialized pointers - never a good idea! Read: "An Insecurit
Did you know you can find bugs in macOS, such as in Apple's "Security" framework ...by simply opening the project!?🍎🤮 I'm not even kidding 😭😭😭 Using uninitialized pointers - never a good idea! Read: "An Insecurity in Apple's Security Framework?": https://t.co/6YwovDLmFu #SMH pic.twitter.com/rCjoH2H25X

— patrick wardle (@patrickwardle) May 4, 2018
FavoriteTweet  patrickwardle 
may 2018 by mjtsai
patrick wardle on Twitter: "if code from a legitimate app invokes Apple's APIs in a benign manner, yet trigger crashes in their "Security" framework -imagine what fuzzers/hackers are finding? Actually no - don't think about that...will just make you weep
if code from a legitimate app invokes Apple's APIs in a benign manner, yet trigger crashes in their "Security" framework -imagine what fuzzers/hackers are finding? Actually no - don't think about that...will just make you weep 😭😭 ...neat bug though; stay tuned for blog post 😉 pic.twitter.com/LOVKmu96ha

— patrick wardle (@patrickwardle) May 2, 2018
FavoriteTweet  patrickwardle 
may 2018 by mjtsai
patrick wardle on Twitter: "gorgeous macOS (remote) browser bug + exploit chain to ring-0 🔥😍… "
gorgeous macOS (remote) browser bug + exploit chain to ring-0 🔥😍 https://t.co/V8qVyiVLgO

— patrick wardle (@patrickwardle) March 15, 2018
FavoriteTweet  patrickwardle 
march 2018 by mjtsai
patrick wardle on Twitter: "I believe that's where the bug resides as 'kSecCSUseAllArchitectures' correctly returns a code signing issue. Problem is, what ends up running by default (i.e. what the runtime identifies/executes as native architecture) is uns
I believe that's where the bug resides as 'kSecCSUseAllArchitectures' correctly returns a code signing issue. Problem is, what ends up running by default (i.e. what the runtime identifies/executes as native architecture) is unsigned malicious code. So there is a discrepancy :(

— patrick wardle (@patrickwardle) February 22, 2018
FavoriteTweet  patrickwardle 
february 2018 by mjtsai
patrick wardle on Twitter: "the 'good news' is Apple's utils/defenses such as Gatekeeper & vm.cs_enforcement=1 aren't tricked....just basically every 3rd-party security tool 😭😭 Until Apple fixes this - don't invoke said API with 'kSecCSDefaultFlags'
the 'good news' is Apple's utils/defenses such as Gatekeeper & vm.cs_enforcement=1 aren't tricked....just basically every 3rd-party security tool 😭😭 Until Apple fixes this - don't invoke said API with 'kSecCSDefaultFlags' #ThanksApple #MacBugBounty!? #Kudos2Josh

— patrick wardle (@patrickwardle) February 22, 2018
FavoriteTweet  patrickwardle 
february 2018 by mjtsai
patrick wardle on Twitter: "🤬🤬 Apple's SecStaticCodeCheckValidity() API validates the signature of a file. Allows AV/security tools to say stuff like: "I'll trust this 🍎-signed binary!" But malware can trick it into saying they are signed by Appl
🤬🤬 Apple's SecStaticCodeCheckValidity() API validates the signature of a file. Allows AV/security tools to say stuff like: "I'll trust this 🍎-signed binary!" But malware can trick it into saying they are signed by Apple: https://t.co/r3hFGnGDuW WTFFF (🐛-credit: @midnite_runr)

— patrick wardle (@patrickwardle) February 22, 2018
FavoriteTweet  patrickwardle 
february 2018 by mjtsai
patrick wardle on Twitter: "as (now publicly) noted "H. Sierra's `defaults read` command DELETES your plist if invalid"-@kcrawford Here's the bug/reason why: -[CFPDSource copyPropertyListWithoutDrainingPendingChangesValidatingPlist:] in CoreFoundation cal
as (now publicly) noted "H. Sierra's `defaults read` command DELETES your plist if invalid"-@kcrawford Here's the bug/reason why: -[CFPDSource copyPropertyListWithoutDrainingPendingChangesValidatingPlist:] in CoreFoundation calls unlink() if plist validation fails🐛🤣 #bug #apple pic.twitter.com/xbhR20MwgO

— patrick wardle (@patrickwardle) February 21, 2018
FavoriteTweet  patrickwardle 
february 2018 by mjtsai
patrick wardle on Twitter: "The Good: by default macOS audits (and logs) login/logout & authentication/authorization events 🔐 The Bad: when such events are performed via touchID (i.e. an unlock) they appear to be missed/not audited!? 🍎🤒☠️ #Au
The Good: by default macOS audits (and logs) login/logout & authentication/authorization events 🔐 The Bad: when such events are performed via touchID (i.e. an unlock) they appear to be missed/not audited!? 🍎🤒☠️ #AuditFail @AppleSupport (cc @bruienne noticed this too) pic.twitter.com/07Hor5DQ1H

— patrick wardle (@patrickwardle) January 28, 2018
FavoriteTweet  patrickwardle 
january 2018 by mjtsai
patrick wardle on Twitter: "Apple, in their infinite wiseness & wisdom, refuse to create a macOS bug bounty program 😟 Tempting to sell such bugs for sure - but I'm bles… https://t.co/YAr8NhE5g9"
Apple, in their infinite wiseness & wisdom, refuse to create a macOS bug bounty program 😟 Tempting to sell such bugs for sure - but I'm blessed to have many patrons who support my work: https://t.co/G6GgqjhMnl 🙏🙏 #patreon https://t.co/bXPPYFVRqk

— patrick wardle (@patrickwardle) January 17, 2018
FavoriteTweet  patrickwardle 
january 2018 by mjtsai
patrick wardle on Twitter: "The Ugly: for last ~13 years (OSX 10.4+) anybody could locally sniff 'auth tokens' then replay to stealthy & reliably elevate to r00t 🍎🤒☠️ T… https://t.co/cvSUO8621w"
The Ugly: for last ~13 years (OSX 10.4+) anybody could locally sniff 'auth tokens' then replay to stealthy & reliably elevate to r00t 🍎🤒☠️ The Bad: reported to Apple -they *silently* patched it (10.13.1) 🤬 The Good: when confronted they finally assigned CVE + updated docs 😋 pic.twitter.com/RlNBT1DBvK

— patrick wardle (@patrickwardle) January 16, 2018
FavoriteTweet  patrickwardle 
january 2018 by mjtsai
patrick wardle on Twitter: ""would've submitted to Apple if their bug bounty included macOS" ...yah, why doesn't Apple have a macOS bug bounty program!? Do they not kno… https://t.co/JwMJNXY6Ch"
"would've submitted to Apple if their bug bounty included macOS" ...yah, why doesn't Apple have a macOS bug bounty program!? Do they not know it's 2018? 🤷‍♂️ https://t.co/D1RifkGFZl

— patrick wardle (@patrickwardle) January 1, 2018
FavoriteTweet  patrickwardle 
january 2018 by mjtsai
patrick wardle on Twitter: "'confirmed' (sess 706?), that 'Anywhere' won't be present in UI :| Still can allow unsigned code to run via spctl, management profile, etc."
'confirmed' (sess 706?), that 'Anywhere' won't be present in UI :| Still can allow unsigned code to run via spctl, management profile, etc.

— patrick wardle (@patrickwardle) June 15, 2016
FavoriteTweet  patrickwardle 
june 2016 by mjtsai

Copy this bookmark:



description:


tags: