Exploitation of human behavior always gives better results than a single bug. I wrote this example for macOS in Swift. It's a great LPE attack, by presenting every 15 minutes a UIKit dialog that mimics precisely Apple notices, users will just enter the local admin (or iCloud) password. On every run, this stores clipboard and passwords input from a launchd daemon, once the user gives the right password and it authenticates to root - it clears out the persistence and transmits the logs back to me.

You can spend 3 months writing a 0day for some obscure mach kernel handling bug to sneak your way to local root but did you try just asking the user for their password? You know which one has a higher ROI? The most simplistic one. This is why you get $22million dollar thefts from a UI, if you ask a user persistently enough in a manner that does not disrupt their usage of the machine or raise inconsistency in machine behavior - the user almost always enters the passwords as normal at the machine.

Show thread

@fikran my password is your password, you loaned it to me. ;)

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!