Mysk🇨🇦🇩🇪

@mysk
3K Followers
170 Following
1.1K Posts
We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity 🇨🇦🇩🇪
Xhttps://x.com/mysk_co
Bloghttps://mysk.blog
YouTubehttps://youtube.com/@mysk
Old Mastodonhttps://defcon.social/@mysk
Show threadMysk🇨🇦🇩🇪1d ago
@ashah Brave. But if you're a targeted individual either use Safari or DuckDuckGo installed from the Mac App Store. Brave is not offered on the Mac App Store
Mysk🇨🇦🇩🇪1d ago
Show threadMysk🇨🇦🇩🇪1d ago
We will no longer submit bugs we discover in Apple systems through Apple Bounty Program.
Show threadMysk🇨🇦🇩🇪1d ago
We will no longer submit bugs we discover in Apple systems through Apple Bounty Program.
Show threadMysk🇨🇦🇩🇪1d ago

If you like to support our unpaid charity work to keep the software of a 4-trillion-dollar company safe, take a moment to download and try our private browser for iOS Psylo:

https://apps.apple.com/app/psylo-private-browser-proxy/id6741358035

And coffee energizes our work:

https://buymeacoffee.com/mysk

Psylo: Privacy Browser & Proxy App - App Store

Download Psylo: Privacy Browser & Proxy by Mysk Inc. on the App Store. See screenshots, ratings and reviews, user tips, and more apps like Psylo: Privacy…

App Store
Mysk🇨🇦🇩🇪1d ago

We had lengthy discussions explaining the bug to Apple. It was clear to us the bug was new to Apple Product Security. After 5 months, they informed us that the report was treated as a duplicate and it was addressed.
We just got this update for CVE-2026-28910: No bounty

You can read the full blog post (aka charity work for a 4-trillion-dollar company) highlighting this bug here:

https://mysk.blog/2026/05/19/cve-2026-28910/

#apple #privacy #macos #infosec #security

Show threadMysk🇨🇦🇩🇪4d ago
@jamesbooker Yep
Show threadMysk🇨🇦🇩🇪5d ago

This exchange from X adds some context:

https://infosec.exchange/@psylo/116633092694513326

Show threadMysk🇨🇦🇩🇪5d ago
@__ic Hey, alternative sources to what?
I took the screenshot today, but I haven't used WhatsApp on my Mac since 2024. During our testing as shown in the demo we use VMs. I just wanted to show the containers quickly and didn't have a VM ready 🫣. I didn't know the post would be shared that much. The bug is not related to WhatsApp. Apps published by the same developer can access their shared containers by design.
Show threadMysk🇨🇦🇩🇪5d ago
@erlenmayr There are rules for app acquisitions that eventually enable one developer, in this case Meta, to own all apps owned through acquisitions even if they have different bundle IDs
Mysk🇨🇦🇩🇪5d ago

On iOS and macOS, WhatsApp stores chat databases unencrypted in an app group container accessible to apps from the same developer. So all Meta apps on the same iPhone (e.g., Facebook) can read WA chats in plaintext without permission, and users wouldn't be notified.

https://blog.cryptographyengineering.com/2026/02/02/whatsapp-encryption-a-lawsuit-and-a-lot-of-noise/

This is a demo we prepared recently to show a macOS bug that allowed unrestricted access to protected app containers. WhatsApp stores data at rest without encryption.

https://m.youtube.com/watch?v=Naq5IojVoNs