RT @fileintegrity: Proud to announce that I’m interning at Apple this summer on the UIKit team!!

I am sorry for anyone who’s ever DMed me and I didn’t respond or check because this most of my DM list…

today is my birthday.

I found out a way, but it seems like it fails to bundle any frameworks with the app, fun….

Weird question: Does anyone know of any way to upload iOS apps with 32bit slices onto App Store Connect nowadays, or are all ways of doing it discontinued?.

I'll port the github gist over to a blogpost eventually when I feel like it. .

Finally put out a tutorial for creating certificates to sign shortcuts instead of having Apple do it. Thought this was a vuln at first but Apple closed the report after a couple months so I guess it's intended. Old demo also here:

RT @elihwyma:

RT @eshard: Our journey with the #iOS emulator continues. We show how we reached the home screen, enabled multitouch, unlocked network acc….

I figured out today that if you have a pbzx with the compressedSize == uncompressedSize (at least for ZLIB) iOS fails to extract it. I thought this was a bug with libNeoAppleArchive at first but after some testing yeah it’s this.

Shout out to bsd/net/dlil_subr.c because i keep getting a integer overflow somehow which results in a panic (this is not a vulnerability I believe, just a kernel bug but is very annoying for daily use…).

I wonder how this works 🤔.

One thing that I’ve always wanted to reverse is how Shortcuts handles its permissions, but I’ve never had the time… maybe I should finally look into it even if I don’t think I’ll find anything.

Be totally honest, would you think anyone would use a Shortcuts emulator that works on Linux (and other Unix systems)?.

I really should not have waited this long to diff it lol. Most of my attention has moved to Kernel recently but I am still looking at libAppleArchive too, I wonder if there are any more bugs that I haven't found yet hmm. .

I *finally* got around to checking the patch for libAppleArchive; seemed like they now properly check for mkdir() return (and some other stuff), good patch.

Well I asked them, 80% chance they're going to deny, I wish I thought of this when I submitted my original report. My biggest hope is that the macOS sandbox escape part may not be considered after the fact since I did technically show them a PoC of it, just not automated.

I’m like 80% sure Apple will reject the bounty reevaluation I will send them, but I mean, it never hurts to try, praying they actually accept and give me a bounty even if they decrease it since it’s after the fact 🙏.

Thing is I didn’t submit this or the Sandbox Escape (well I did kinda the sandbox escape but just mentioned it as a gatekeeper bypass), and it’s already been marked as resolved so idk if they would still accept these, my bad. If they do though, like they gotta pay for this right.

Assuming shortcut privacy prompts are kept in database, these can also be overwritten by the exploit. So then, our attacker can have as much data about the user that Shortcuts lets them. Should I resubmit this + sandbox escape for bounty reeval or since it’s been 1 year no (3/3).