Ryan Dowd

I teamed up with Ryan Dowd to investigate a fake OpenClaw installer hosted on GitHub. This was also picked up by Bing's AI and recommended as the correct way to install OpenClaw on Windows. huntress.com/blog/openclaw-…

4 new CVEs in the latest Apple update, 2 with @theevilbit and 2 on my own. I will try to do and get writeups out for these, but right now I'm writing material for the training still. This is turning into a book... Anyway, update your systems!

Amazing work @tonygo_

I'm excited to announce that I'll be speaking at @BSidesSF & @DianaInitiative on how to detect race conditions on macOS! 🌁 Big thanks to Andrew Krug and Adam Messer for supporting my work, and helping me submit to these amazing conferences! #InfoSec #BSidesSF @DatadogHQ

We (me + @theevilbit) have a website for the macOS Vulnerability Research Training now, in case you are interested: macosvuln.training

Update: Things are back on track now.

How it started: "Target Flags are a new security research capability in Apple operating systems that make it easier to objectively demonstrate your findings and determine your award eligibility." How its going:

@m1thr1da Having the report abruptly closed without comment or email notification of the status change is a little bit frustrating, I won't lie.

@_rdowd The hard part of a apple bug hunter 😔

@VanStorek I have no problems with this post being shared :)

@_rdowd Amazing work! May I share this video on LinkedIn and give you credit?

Updated my ransomware poc to remove the reboot requirement. Full TCC bypass for Tahoe 26.2 chained with a DoS exploit to demo exfiltration of private data and wipe the user's home directory while the user session remains active.

@jaakerblom @gergely_kalman These look to be worth $10k now based on the updated bounty guidelines.

@gergely_kalman @_rdowd Safari RCEs have categorically always been paid 0$ unless chained to my knowledge, with them often being brought up as an unpaid category in Apple Security Bounty discussions amongst researchers at cons and a reason to choose other research areas if choosing to submit to Apple

I've been seeing a lot of discussion online recently about the changes to Apple's bug bounty program, specifically the downgrading of payouts for TCC bypass vulnerabilities. I was recently asked for my thoughts on this matter. I figured the best way to illustrate the importance of supporting research into this class of bug was to demonstrate the real-world impact. I created a small ransomware POC with clickfix-esque deployment (since that's what the cool kids are doing nowadays). No TCC prompts or any other system warnings. It exfils all sensitive user data and deletes the user's home and iCloud data.

I'm not comparing TCC to other bug classes (I'm not that familiar with those payouts anyway). I've reported bugs with far greater impact on integrity and availability that only got the $1000 'low impact' tier. Maybe TCC bypasses were overvalued to begin with, or maybe they aligned with Apple's values at the time. I still drive past their 'Privacy is King' billboard regularly.

@gergely_kalman @_rdowd TCC at 5000$ remains relatively a lot though when compared to iOS Safari RCEs, kernel infoleaks and other types of bugs that Apple have always held a very strong position in categorically assigning the inherent value of at 0$, consistently paying nothing for them unless chained

@NietzscheLab @stuartjash The exploit involves multiple bugs so once I report them and get them patched I'll provide a write up and POC.

@_rdowd @stuartjash omg like, what about sharing the code for this super cute lil ransomware PoC, duh?!! 💅✨

0:00- Running latest macOS Tahoe on our virtualised victim machine. SIP Enabled, Reset user's TCC settings, showing no FDA-enabled apps. Showing example content to be stolen. 0:30- Exploit triggered. 0:40- Creating web server endpoint to collect exfiltrated payload. Victim host is rebooted. 1:40- Second stage of the payload executes, unbound by TCC. 1:45- Exfiltrated data reaches our web server. Wallpaper changed. 1:50- All victim user home data is purged from the system. 1:55- Browse exfiltrated data on the attacker device; Documents, Contacts, Photos, etc. 2:20- /Users/ dirlist reveals entire victim $HOME is gone.

To all those who've asked me to writeup my recent CVEs, I promise that I've been working on this, but 3/3 writeups have involved me finding simple workarounds resulting in new bug submissions to Apple. However, I've got a sweet little bit of research. Video to be released soon!

@yo_yo_yo_jbo @CrowdStrike Congrats JBO! CrowdStrike are a fantastic company and I’m sure you’ll find the work rewarding!

Started working at @CrowdStrike !! And also reported an LPE in macOS. Busy day!

🧵Apple just devalued full TCC bypasses from 30,5k to 5k. Hard to interpret this in a good way. It feels like - we admit we can’t fix this shit and we don’t care or at least not willing to pay for it - we don’t care about privacy security.apple.com/bounty/categor…

@0x4D31 This looks pretty epic. Any idea when it'll be available for a test drive?

🪄 process tree🎄

somehow this “poor man’s macOS EDR for home” has a nicer UI than most commercial tools$ i’ve used lol 🪄✨

@theevilbit @gergely_kalman Right back at you Csaba!

@_rdowd @gergely_kalman Congrats!

'Sup @gergely_kalman 🤣