You boot an operating system on the machine, you have access to all unencrypted files, what is so strange about this ? You can do the same thing with Terminal. And smells of GenAI...
girvo•1h ago
EDIT: The person I replied to entirely rewrote their comment (with no indication they did so) so mine seems weird now, apologies for that.
Apple fixed the issue it seems, but did kind-of-sort-of ignore it. The argument from the OP is that it requires physical access, you don't need to convince the user to do anything, the attacker can do it...
...which Apple pointed out (in the article you're commenting on) that if FileVault was enabled this wouldn't be possible, which is true.
And if you have physical access and no encryption, then it's kind of game over anyway. But still, kind of neat to find something like this and Apple fixed it regardless
lights0123•1h ago
Yep. While the Terminal is not an option from the 4 apps listed in the initial screen, it's available from Utilities → Terminal at the top. They even provide a convenient way to access the hard drive from another computer: https://support.apple.com/guide/mac-help/macos-recovery-a-ma...
yaseeng•40m ago
You're right that Terminal is accessible via Utilities, but Target Disk Mode and Terminal both require an admin password. Safari bypassed that authentication entirely, writing directly to protected system locations with no admin password
jeroenhd•1h ago
Apple tries to lock down access at the very least. They also patched the vulnerability twice (they restricted Safari for some reason and they also disabled the settings in the new version of Safari). It seems like Apple cares at the very least. Which is weird, because they also give you a terminal?
Lots of people I've met were surprised that I was able to get their photos from their windows laptops without ever needing their password. Especially these days in the age where even phones and Windows 11 will enable encryption by default, it's a tad weird that disk encryption isn't on by default on macOS. I, at the very least, was surprised that disk encryption isn't mandatory and always on on macOS, seeing the way Apple controls both the OS and the TPM firmware so that they're pretty much immune to the dreaded "BIOS update made my laptop ask for bitlocker" problem you get on Windows.
I don't really get why this would be AI generated, what makes you think that?
lilyball•54m ago
At the very least the author's submission and follow-ups to Product Security looks written by AI.
yaseeng•39m ago
I come from an Arabic-speaking household so my English can be a bit funky sometimes, sorry. However I did use Claude to help format the CVSS tables and polish the grammar in the formal Apple submission (I was 17 submitting to a major company's security team for the first time). The research and findings however are entirely original.
yaseeng•37m ago
Completely agree on the encryption point. Apple controls the entire stack and could mandate FileVault encryption by default. The fact that it's opt-in is a weird decision that hasn't caught up with their security posture elsewhere.
On the Terminal point, its worth clarifying that Recovery Terminal does require mounting the data volume first, which typically prompts for an admin password. Safari bypassed that step entirely, which is what made it interesting.
yaseeng•41m ago
Actually this is a distinction worth clarifying, in Recovery Mode, Terminal does require mounting the data volume first, which typically prompts for an admin password. Safari bypassed this entirely, writing directly to protected system locations without any authentication. Furthermore, no GenAI was used in writing the article I come from an Egyptian Speaking background so my English may be a bit funky, sorry :)
yaseeng•44m ago
For context: I submitted this to Apple in September 2025 and waited 6 months before publishing. Apple closed both reports citing FileVault as a mitigation, which is technically accurate but FileVault is opt-in and many people disable it during setup without understanding what it does (myself included when I got my MacBook in 2020). My personal view is that the behavior significantly reduces the effort required to persist data on an unencrypted system compared to for example side-loading Linux. Regardless, Tahoe 26.3 (It might have been patched before, I didn't check) appears to have silently patched both issues.
AshamedCaptain•1h ago
girvo•1h ago
Apple fixed the issue it seems, but did kind-of-sort-of ignore it. The argument from the OP is that it requires physical access, you don't need to convince the user to do anything, the attacker can do it...
...which Apple pointed out (in the article you're commenting on) that if FileVault was enabled this wouldn't be possible, which is true.
And if you have physical access and no encryption, then it's kind of game over anyway. But still, kind of neat to find something like this and Apple fixed it regardless
lights0123•1h ago
yaseeng•40m ago
jeroenhd•1h ago
Lots of people I've met were surprised that I was able to get their photos from their windows laptops without ever needing their password. Especially these days in the age where even phones and Windows 11 will enable encryption by default, it's a tad weird that disk encryption isn't on by default on macOS. I, at the very least, was surprised that disk encryption isn't mandatory and always on on macOS, seeing the way Apple controls both the OS and the TPM firmware so that they're pretty much immune to the dreaded "BIOS update made my laptop ask for bitlocker" problem you get on Windows.
I don't really get why this would be AI generated, what makes you think that?
lilyball•54m ago
yaseeng•39m ago
yaseeng•37m ago
On the Terminal point, its worth clarifying that Recovery Terminal does require mounting the data volume first, which typically prompts for an admin password. Safari bypassed that step entirely, which is what made it interesting.
yaseeng•41m ago