✕ clear 051 7 Jun 2026 6 min read Disclosure Behaving as designed The finding I was most confident about — fskitd missing an entitlement check on formatResource and activateVolume — came back as expected behaviour. A note on what that means, and what it taught about the difference between a security gap and a design choice. macOS FSKit Disclosure 050 5 Jun 2026 6 min read macOS The asymmetric guard The binary evidence of the TOCTOU race in XProtectRemediator is real and verifiable. The exploit claim was not. How to tell the difference, and why both matter. macOS XProtect Methodology 049 3 Jun 2026 5 min read Methodology Source is not enough Reading XNU source at 2am and finding a bug. Not being able to reproduce it at runtime. The closed submission that taught the most important rule: source analysis is not security evidence. XNU Methodology Disclosure 048 1 Jun 2026 5 min read macOS The shake that confirmed The macOS lockscreen’s visual response to a valid username differs from its response to an invalid one. A username enumeration primitive that requires physical presence. Apple: expected behaviour. macOS Lockscreen Disclosure 047 30 May 2026 6 min read macOS The card that wasn’t there CryptoTokenKit reports 2 state changes. PC/SC reports 147. Same hardware, same card operations. When a framework misses 98.6% of events, the card-removal lock that depends on it misses them too. macOS Smartcard Disclosure 046 28 May 2026 5 min read Disclosure The retraction I found a CFGetTypeID gap in secd’s IPC decode path. I submitted it. I could not reproduce the IPC-triggered crash. I retracted it. This is what clean retraction looks like, and why it matters. Methodology Disclosure Keychain 045 26 May 2026 4 min read macOS A null on the way back BSD traceroute on macOS crashes with a NULL dereference when ECN mode and ICMP protocol are combined. Apple: local DoS by user themselves; not in scope. They’re right. macOS Network Disclosure 044 24 May 2026 5 min read XNU The root prerequisite A TOCTOU race in XNU’s exec_activate_image() around SUID bit evaluation. Requires root to set up. Apple: root prerequisite exceeds exploit; no security boundary crossed. Correct. XNU macOS Disclosure 043 22 May 2026 5 min read macOS The database on the floor interactionC.db carries 644 permissions. On a SIP-enabled host, the Data Vault makes those permissions cosmetic. The lesson: finding the permissions gap is not the same as demonstrating the breach. macOS Privacy Methodology 042 20 May 2026 5 min read macOS The path that was open One XPC method on kernelmanagerd returns kext paths without an entitlement check while six siblings are gated. Apple: not an actionable security report. The information was already public. macOS XPC Disclosure 041 18 May 2026 5 min read macOS The staging window Six methods on com.apple.amfi.nsxpc require an entitlement check before dispatch. One does not. During an MDM profile staging window, it returns profile data to uid=501. Apple: insufficient attack surface. macOS amfid Disclosure 040 16 May 2026 6 min read macOS The ungated path CVE-2025-24129 patched mDNSResponder’s primary trust-check bypass. The D2D/AWDL ingress path bypasses the same gate. Binary evidence is clear. Runtime PoC requires AWDL hardware I did not have. macOS Network Disclosure 039 14 May 2026 6 min read macOS Skipping the hostname check mDNSResponder’s DNS-over-TLS path does not validate the server’s TLS hostname. A rogue DoT resolver on an MDM-managed Mac accepts connections. CWE-297, CVSS 8.1. Apple closed without comment. macOS Network Disclosure 038 12 May 2026 4 min read Disclosure The door that did not close fskitd accepts unlimited appex spawn requests from unprivileged callers. Apple: resource exhaustion requiring local code execution is not a security issue. Correct — and there’s a quality observation underneath. macOS FSKit Disclosure 037 12 May 2026 5 min read Disclosure Two credentials mac_proc_check_settid receives two credential parameters that can differ. Apple confirmed: expected behaviour. What it means for forensic tools that read only one. XNU macOS Disclosure 036 12 May 2026 5 min read Methodology The harness that lied My PoC printed EXPLOIT CONFIRMED regardless of whether anything was exploited. How I found out, what the verdict-before-evidence pattern is, and the rule I now apply to every test harness. Methodology macOS XProtect 035 15 Aug 2026 4 min read Reflective Three months in Thirty-five posts. Stuart didn't plan that — he planned one. What the discipline of writing up research regularly has done to the research itself. What it left open. The blog is still a PING into the dark. Personal Reflective 034 11 Aug 2026 5 min read Networks How attackers see your network, Part 2: what the logs say The inside view from the logs. What the honeynet record actually showed about attacker behaviour — the patterns, the scanning, the things that came back. The gap between what was intended to be visible and what was. Method...