For context: I submitted this to Apple in September 2025 and waited 6 months before publishing. Apple closed both reports citing FileVault as a mitigation, which is technically accurate but FileVault is opt-in and many people disable it during setup without understanding what it does (myself included when I got my MacBook in 2020). My personal view is that the behavior significantly reduces the effort required to persist data on an unencrypted system compared to for example side-loading Linux. Regardless, Tahoe 26.3 (It might have been patched before, I didn't check) appears to have silently patched both issues.
You boot an operating system on the machine, you have access to all unencrypted files, what is so strange about this ? You can do the same thing with Terminal. And smells of GenAI...
Actually this is a distinction worth clarifying, in Recovery Mode, Terminal does require mounting the data volume first, which typically prompts for an admin password. Safari bypassed this entirely, writing directly to protected system locations without any authentication. Furthermore, no GenAI was used in writing the article I come from an Egyptian Speaking background so my English may be a bit funky, sorry :)
Yep. While the Terminal is not an option from the 4 apps listed in the initial screen, it's available from Utilities → Terminal at the top. They even provide a convenient way to access the hard drive from another computer: https://support.apple.com/guide/mac-help/macos-recovery-a-ma...
Apple tries to lock down access at the very least. They also patched the vulnerability twice (they restricted Safari for some reason and they also disabled the settings in the new version of Safari). It seems like Apple cares at the very least. Which is weird, because they also give you a terminal?
Lots of people I've met were surprised that I was able to get their photos from their windows laptops without ever needing their password. Especially these days in the age where even phones and Windows 11 will enable encryption by default, it's a tad weird that disk encryption isn't on by default on macOS. I, at the very least, was surprised that disk encryption isn't mandatory and always on on macOS, seeing the way Apple controls both the OS and the TPM firmware so that they're pretty much immune to the dreaded "BIOS update made my laptop ask for bitlocker" problem you get on Windows.
I don't really get why this would be AI generated, what makes you think that?
EDIT: The person I replied to entirely rewrote their comment (with no indication they did so) so mine seems weird now, apologies for that.
Apple fixed the issue it seems, but did kind-of-sort-of ignore it. The argument from the OP is that it requires physical access, you don't need to convince the user to do anything, the attacker can do it...
...which Apple pointed out (in the article you're commenting on) that if FileVault was enabled this wouldn't be possible, which is true.
And if you have physical access and no encryption, then it's kind of game over anyway. But still, kind of neat to find something like this and Apple fixed it regardless
17 comments
> which is technically accurate but FileVault is opt-in
It's been on by default since around circa 2013.
Also, Filevault is on top of the encryption provided by secure enclave
> many people disable it during setup without understanding what it does
Citation required. Most people don't disable things on their computer when they "don't understand what it does."
> myself included when I got my MacBook in 2020
That's an anecdote, not evidence of a trend in a population.
> Tahoe 26.3 (It might have been patched before, I didn't check) appears to have silently patched both issues.
Gotta love a clickbait title designed to make people panic....about a minor fixed two months ago
> It's been on by default since around circa 2013
Wrong. It's not on by default.
https://apple.stackexchange.com/questions/324805/do-apple-la...
> in Recovery Mode, Terminal does require mounting the data volume first, which typically prompts for an admin password.
This is not my experience. The Data volume mounts automatically, and there's no password prompt.
Lots of people I've met were surprised that I was able to get their photos from their windows laptops without ever needing their password. Especially these days in the age where even phones and Windows 11 will enable encryption by default, it's a tad weird that disk encryption isn't on by default on macOS. I, at the very least, was surprised that disk encryption isn't mandatory and always on on macOS, seeing the way Apple controls both the OS and the TPM firmware so that they're pretty much immune to the dreaded "BIOS update made my laptop ask for bitlocker" problem you get on Windows.
I don't really get why this would be AI generated, what makes you think that?
Apple fixed the issue it seems, but did kind-of-sort-of ignore it. The argument from the OP is that it requires physical access, you don't need to convince the user to do anything, the attacker can do it...
...which Apple pointed out (in the article you're commenting on) that if FileVault was enabled this wouldn't be possible, which is true.
And if you have physical access and no encryption, then it's kind of game over anyway. But still, kind of neat to find something like this and Apple fixed it regardless