As promised, I just dropped a dozen new sandbox escape vulnerabilities at #POC2024 If you missed the talk, here is the blog post: https://t.co/zTcENNrZun Slides: https://t.co/sWztf0ygM4 Enjoy and find your own bugs 😎

A really thorough overview of the research:

The slidedeck to our talk, Crash One: A Starbucks Story - CVE-2025-24277, with @gergely_kalman from @hexacon_fr and @objective_see #OBTS is available from the link below. It was a macOS vulnerability impacting the crash reporting process where we could achieve LPE and sandbox

Excited to share our research on ChillyHell, a modular macOS backdoor targeting officials in Ukraine. Check out our write-up for more details. https://t.co/RakC7KEQAU

For those missing the talk, Blog: https://t.co/XBvFMbsfi0 Slides:

A tiny timing flaw in Apple’s core file-copy APIs can put millions of devices at risk 📂🍏 Despite warnings, Apple thought it was “too hard to exploit”—until Mickey Jin developed an exploit that steals secrets in privileged services 👉 https://t.co/aygSUbH82F #NullconBerlin2025

Thank you @helpnetsecurity to mention us 👍 awesome research by @tsunek0h #macOS #applesecurity #NullconBerlin2025 https://t.co/RuYmmZRmc4

🚨 New blog post: ELEGANTBOUNCER - Catch iOS 0-click exploits without having the samples. Features iOS backup forensics & messaging app scanning for iMessage, WhatsApp, Signal, Telegram & Viber attachments. 🔗 Link ->

🍏 #AppleDevelopers use NSFileManager thinking it’s safe — but @patch1t found a race condition once thought “impossible to exploit.” At #NullconBerlin2025, he’ll show how it works, why CVE-2024-54566 failed, and Apple’s final fix. 👉 https://t.co/aygSUbH82F #iOS #applesecurity

Brief info and POC for this week's Apple 0click iOS 18.6.1 RCE bug CVE-2025-43300 https://t.co/EL3qg56N8X

We released our Fuzzilli-based V8 Sandbox fuzzer: https://t.co/eVkR1bl76n It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

Launch constraints are annoying as a security researcher. What if you didn't have to worry about them? https://t.co/GOZjFhe87g

So CVE-2025-43268 was indeed my vuln in cryptexctl, but @0x3C3E found it first, kudos to him. Here's the "exploit", which makes sudo try and load an unsigned dylib from the current directory: /S*/L*/S*/u*/b*/c*.r* exec $PWD/ sudo ls

Will share one of them at the Nullcon Berlin @nullcon

I just got 16 new CVEs in this new release 🤣🤣🤣

📢 Just dropped: the full #OBTS v8 talk lineup! https://t.co/WnHCvCdWqm And for the first time we'll have 3 full days of presentations! 🤩 Congrats to the selected speakers and mahalo to all who submitted. With ~100 submissions, selecting the final talks was a daunting task! 😫

I lightly mentioned CVE-2025-31235, a double-free I found in coreaudiod/CoreAudio, during my OffensiveCon presentation last month. It's been derestricted now, so enjoy my writeup which includes a PoC and dtrace script to help understand the vulnerability!

My "Finding Vulnerabilities in Apple Packages at Scale" talk is up on YT 🎉

Woah, @WangTielei talk “Sending Me Your IOUserClients: A Bypass to Immovable Ports” at @deepsec_cc was insanely good! I enjoyed it! Super clever new discovery. feels awesome to see other researchers referencing my past work.

Stoked for Jaron Bradley's soon to be released 2nd-book: "Threat Hunting macOS" 😍📚 (And was honored to write its forward). Jaron is an outstanding researcher, speaker, trainer, & friend, and this book will become an essential macOS security resource. https://t.co/1XpmC1VbNU

Our new blog post is live: