Root Persistence via macOS Recovery Mode Safari
by yaseeng on 4/6/2026, 8:41:41 PM
https://yaseenghanem.com/recovery-unrestricted-write-access/
Comments
by: yaseeng
For context: I submitted this to Apple in September 2025 and waited 6 months before publishing. Apple closed both reports citing FileVault as a mitigation, which is technically accurate but FileVault is opt-in and many people disable it during setup without understanding what it does (myself included when I got my MacBook in 2020). My personal view is that the behavior significantly reduces the effort required to persist data on an unencrypted system compared to for example side-loading Linux. Regardless, Tahoe 26.3 (It might have been patched before, I didn't check) appears to have silently patched both issues.
4/6/2026, 9:50:04 PM
by: AshamedCaptain
You boot an operating system on the machine, you have access to all unencrypted files, what is so strange about this ? You can do the same thing with Terminal. And smells of GenAI...
4/6/2026, 9:03:04 PM