Researchers at mobile privacy firm Mysk have disclosed details of a now-patched macOS vulnerability that could allow malicious apps to bypass Apple’s sandbox and privacy protections to access sensitive user data stored by messaging, productivity, and browser applications.
Tracked as CVE-2026-28910, the flaw abused Apple’s built-in Archive Utility app and a long-standing drag-and-drop behavior in macOS to access protected application containers, bypass Transparency, Consent, and Control (TCC) safeguards, and even hijack trusted third-party apps without elevated privileges or special permissions.
The issue affected macOS Tahoe 26.0 through 26.3.2 and was fixed in macOS 26.4, released in March 2026.
Mysk researchers Talal Haj Bakry and Tommy Mysk said the vulnerability highlighted broader weaknesses in macOS privacy isolation guarantees, particularly for apps users trust with highly sensitive local data, including Signal, WhatsApp, Telegram, Safari, Mail, and Notes.
According to the researchers, the flaw did not break end-to-end encryption or enable remote compromise on its own. Instead, it created a powerful post-compromise capability, allowing a malicious or trojanized macOS app to access files that should normally remain isolated by Apple’s sandbox model.
“This was significant because it bypassed all three protections with minimal user interaction,” the researchers explained in their report.
The attack chain centered around Archive Utility, Apple’s default archive extraction and compression tool bundled with macOS. Until version 26.4, the utility reportedly had unusually broad filesystem access, allowing it to interact with files inside protected application containers and TCC-restricted directories such as Desktop and Documents.
Mysk discovered that macOS drag-and-drop behavior could permanently grant applications access to files dropped onto them, including files inside protected locations. By combining that behavior with Archive Utility’s broad access, attackers could effectively copy protected data outside of sandboxed directories.
The researchers developed a proof-of-concept tool named “au-cp” that automated the process and demonstrated access to sensitive local application data, including:
- iMessage chat databases
- Apple Notes data
- Safari browsing sessions and cookies
- Mail inboxes and attachments
- WhatsApp and Telegram message storage
The report also showed how attackers could tamper with installed applications under /Applications by replacing executables inside trusted app bundles. In one demonstration, the researchers hijacked Signal Desktop to trigger a legitimate macOS keychain prompt, potentially allowing attackers to steal encryption keys if a victim entered their password.
The attack required user interaction but relatively little technical sophistication from victims. Mysk’s proof-of-concept disguised a symbolic link as a normal macOS application installer, tricking users into performing a drag-and-drop action commonly associated with installing applications on macOS.
Once completed, the malicious script gained long-term access to Archive Utility’s preferences and could repeatedly abuse the bypass without additional prompts.
Applications like Signal and WhatsApp often store sensitive local databases under the assumption that macOS application containers prevent other software from reading them. While some applications encrypt local data at rest, others depend heavily on Apple’s containerization and privacy controls for isolation.
Mysk noted that Safari cookies were accessible because Apple stores them unencrypted within protected application containers. By contrast, Chromium-based browsers store encryption keys in the macOS Keychain, adding another layer that attackers would need to bypass.
The researchers first reported the vulnerability to Apple on October 17, 2025. Apple confirmed the issue in November and shipped mitigations in macOS 26.4 on March 24, 2026, more than five months later.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
