Security duo Mysk has disclosed an unpatched macOS vulnerability that they say allows web-installed applications to silently modify other apps' binaries, potentially bypassing key macOS security protections.
In a post published on X, Mysk said the issue affects macOS 26 and macOS 27 and allows “any command” to modify other applications' binaries in the background without displaying password prompts or other visible warnings. According to the researchers, they discovered the bug accidentally and reported it to Apple approximately two weeks ago, but have not yet received a response.
Mysk claims the vulnerability impacts applications distributed outside the Mac App Store, including widely used software such as Signal, Brave, Google Chrome, and even Apple's Xcode development environment. The researchers say that after an application's binary is modified, it can retain access to the original app's Keychain records and protected containers, potentially allowing unauthorized access to sensitive data.
The researchers emphasized that applications downloaded through the Mac App Store are not affected by this issue. Many macOS developers choose to distribute their software directly from their websites instead of through Apple's marketplace, partly because the App Store is subject to Apple's review process and payment policies.
Although Mysk demonstrated the vulnerability in a proof-of-concept video, the researchers have not publicly released technical details or an exploitation script while the flaw remains unpatched. The decision limits the immediate risk of copycat attacks while giving Apple additional time to investigate and develop a fix.
The researchers also noted that they had previously decided against using Apple's Security Bounty program but chose to report this vulnerability due to its potential security impact.
At the time of writing, Apple has not publicly acknowledged the reported issue or released security updates addressing it.
Until a fix becomes available, macOS users may want to exercise additional caution when installing software distributed directly from websites, particularly from untrusted or unfamiliar developers.
Leave a Reply