Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps
A significant security vulnerability in macOS was discovered, allowing attackers to bypass App Sandbox protections. This flaw, linked to the Archive Utility, enables unauthorized access to sensitive files and the hijacking of third-party applications. Apple has addressed this issue in macOS version 26.4, but earlier versions remain at risk.
- ▪The vulnerability allows attackers to gain full access to files protected by macOS app data containers without triggering permission prompts.
- ▪Attackers can hijack third-party apps by replacing their executables, impersonating trusted applications.
- ▪The exploit requires only two user actions: running the attacker's code and dragging and dropping a specific file.
Opening excerpt (first ~120 words) tap to expand
CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility 2026-05-19by Talal Haj Bakry and Tommy Mysk Until macOS 26.4, Archive Utility had nearly unrestricted filesystem access. Combined with a drag-and-drop sandbox quirk, this let an attacker bypass App Sandbox data containers, Transparency, Consent, and Control (TCC) protections, and hijack third-party apps — all without special permissions or elevated privileges. Table of Contents Affected Platforms Summary Summary for Non-Technical Readers Background A Quick Introduction to macOS App Sandbox and Data Containers Archive Utility’s (Nearly) Unrestricted Filesystem Access Drag & Drop: An Intentional Sandbox Loophole Unleashing Archive Utility Introducing au‑cp: Golden Copy Data Exfiltration…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Mysk Blog – In-Depth Cybersecurity & Mobile App Privacy Research.
Discussion
0 comments
