Mastodawn

Csaba Fitzl May 23, 2025

Jack-Daniyel May 23, 2025

🎙️ For the @MDOYVR podcast, we added a complete transcription to increase its accessibility. We use @auphonic's AI transcription feature to bring this to the pod and have been impressed with the ease.

🗣️ Check out our latest conversation 😎 Mat X and I had with Kandji's @theevilbit. Join us June 11-13, 2025, in Vancouver, BC 🇨🇦 to continue the conversation with speakers like Csaba and more!

📝 Have you seen the transcripts? What do you think? https://mdopod.com/researching-vulnerabilities-with-csaba-fitzl/

Researching vulnerabilities with Csaba Fitzl | MacDevOpsYVR

In this episode, we dive deep into the dynamics of security and development in the Apple ecosystem, featuring insights from cybersecurity expert Csaba Fitzl ...

MacDevOpsYVR podcast

Csaba Fitzl Apr 11, 2025

bdash Dec 2, 2024

I've recently been working to understand what triggers certain TCC prompts on macOS. During this investigation I noticed something that many prior analyses of TCC overlook: TCC prompts can be triggered not only by system frameworks, but by the Sandbox kernel extension in response to rules defined by the platform sandbox policy.

My latest blog post documents the sandbox features behind this and provides examples of some of the responsible sandbox policies.

https://bdash.net.nz/posts/tcc-and-the-platform-sandbox-policy/

TCC and the macOS Platform Sandbox Policy // Mark Rowe

How some macOS privacy prompts are triggered from within the kernel via sandbox policies

Csaba Fitzl Apr 3, 2025

MacDevOpsYVR Apr 2, 2025

We are incredibly excited to announce that @theevilbit will be speaking at MDO YVR in Vancouver. "Finding Vulnerabilities in Apple packages at Scale" will be part of a full day of security talks. Join us June 11-13, 2025 https://mdoyvr.com/speakers-2025/

Speakers 2025

Note: The full 2025 speakers list will posted in the coming weeks. Stay tuned. Mykola Grymalyuk (RIPEDA Consulting) MDM Hygiene – How safe is your Mac fleet? As the popularity of Macs grows i…

MacDevOpsYVR

Csaba Fitzl Nov 8, 2024

🍎🐛🎙️Following my #poc2024 talk we are releasing a blogpost series at Kandji, detailing the vulnerabilities of diskarbitrationd and storagekitd I discussed in my "Apple Disk-O Party" talk.

First part is out, and covers CVE-2024-44175.

https://www.kandji.io/blog/macos-audit-story-part1

Uncovering Apple Vulnerabilities: The diskarbitrationd and storagekitd Audit Story Part 1

Kandji's Threat Research team performed an audit on the macOS diskarbitrationd & storagekitd system daemons, uncovering several (now fixed) vulnerabilities

Csaba Fitzl Oct 25, 2024

Daniel Roethlisberger Oct 24, 2024

Oh interesting, as part of Private Cloud Compute source code, Apple also open sourced (of sorts) the Endpoint Security API client that they seem to be running on PCC:

https://github.com/apple/security-pcc/blob/main/SecurityMonitorLite/securitymonitorlited/ESClient.swift

security-pcc/SecurityMonitorLite/securitymonitorlited/ESClient.swift at main · apple/security-pcc

Private Cloud Compute (PCC). Contribute to apple/security-pcc development by creating an account on GitHub.

GitHub

Csaba Fitzl Oct 25, 2024

Jeff Johnson Oct 25, 2024

The Apple Security Research blog now has an RSS feed, though it’s not properly advertised.

https://security.apple.com/blog/feed.rss

Csaba Fitzl Oct 25, 2024

Anthony Chivetta Oct 24, 2024

I'm super excited to share that we've launched the Private Cloud Compute Security Guide and Virtual Research Environment. This is a huge step forward for cloud AI compute and I'm looking forward to the broader security community digging in!

https://security.apple.com/blog/pcc-security-research

Blog - Security research on Private Cloud Compute - Apple Security Research

Private Cloud Compute (PCC) fulfills computationally intensive requests for Apple Intelligence while providing groundbreaking privacy and security protections — by bringing our industry-leading device security model into the cloud. To build public trust in our system, we’re making it possible for researchers to inspect and verify PCC’s security and privacy guarantees by releasing tools and resources including a comprehensive PCC Security Guide, the software binaries and source code of key PCC components, and — in a first for any Apple platform — a Virtual Research Environment, which allows anyone to install and test the PCC software on a Mac with Apple silicon.

Blog - Security research on Private Cloud Compute - Apple Security Research

Csaba Fitzl Oct 16, 2024

🍎🗒️ New macOS persistence blog post. 🎉
➡️ Persist through the NVRAM - The 'apple-trusted-trampoline'
Meet the rc.trampoline launchd 🚀 boot task.

https://theevilbit.github.io/beyond/beyond_0035/

Beyond the good ol' LaunchAgents - 35 - Persist through the NVRAM - The 'apple-trusted-trampoline'

This is part 35 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. TL;DR - This is a practically completely useless persistence, as this can be only set and enabled when SIP is actually disabled. On the other hand I still find it a pretty amazing way to persist, as we can do that by putting a binary into NVRAM and get that executed. Here follows the details of the discovery.

theevilbit blog

Csaba Fitzl Apr 22, 2024

The slides to our BlackHat Asia talk "The Final Chapter: Unlimited ways to bypass your macOS privacy mechanisms" with @_r3ggi is now available at the event's website:

https://i.blackhat.com/Asia-24/Presentations/Asia-24-Fitzl-Wojciech-Unlimited-ways-to-bypass-your-macOS-privacy-mechanisms.pdf

Csaba Fitzl Apr 18, 2024

Tom Mar 22, 2024

Unpopular realities: The App Store really, really does make you safer on your mobile devices, even if it does that by preventing a lot of specialty applications from existing on their platform. Fortunately, you can still use Android if you rather.