CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility | Mysk Blog – In-Depth Cybersecurity & Mobile App Privacy Research

CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility

2026-05-19by

Talal Haj Bakry<br>and

Tommy Mysk

Until macOS 26.4, Archive Utility had nearly unrestricted filesystem access. Combined with a drag-and-drop sandbox quirk, this let an attacker bypass App Sandbox data containers, Transparency, Consent, and Control (TCC) protections, and hijack third-party apps — all without special permissions or elevated privileges.

Table of Contents

Like our research? Try Psylo.

Psylo is our privacy-first browser for iOS and iPadOS, with a built-in proxy network, per-tab isolated web sessions, and anti-fingerprinting. Using it helps fund more work like this.

Read why we built it &rarr;

Download Psylo &rarr;

Affected Platforms#

macOS Tahoe 26.0.0 – 26.3.2

Earlier versions of macOS are likely affected as well, but have not been tested.

Summary#

Through Archive Utility, the default compression utility in macOS, an attacker can:

Gain full access to files protected by macOS app data containers, including those used by Apple apps (e.g., Safari, iMessage, Notes), third-party apps (e.g., Signal, WhatsApp), and iCloud Group Containers — without triggering any system or permission prompts.

Gain full access to files protected by Transparency, Consent, and Control (TCC), such as those inside ~/Desktop and ~/Documents, even if the user chooses “Don&rsquo;t Allow” in the TCC prompt.

Hijack third-party apps by replacing the executable under /Contents/MacOS/ inside their application bundles, impersonating apps the user has already installed and trusted — including background agents like ones from Chrome or Figma. macOS displays a notification that it prevented modifying the app, but the attack still succeeds.

The attack requires only two user actions: running the attacker&rsquo;s code and dragging and dropping one specific file.

Summary for Non-Technical Readers#

We found a major macOS security issue that Apple patched in macOS 26.4. If an attacker tricks you into running their code and dragging and dropping one specific file, they could:

Read private app data, such as data from Notes, Messages, WhatsApp, or Safari, without notifying you or asking for permission.

Access files in places you expect to be private, such as your Desktop or Documents folders, even if you choose not to give permission.

Secretly replace trusted apps you already have installed with malicious versions.

All this can happen without your Mac&rsquo;s password or any special approval. The attack bypasses macOS security protections by taking advantage of a bug in the Mac&rsquo;s built-in Archive Utility, the tool macOS uses to open and compress zip files.

Background#

A Quick Introduction to macOS App Sandbox and Data Containers#

macOS relies on several layers of protection to isolate apps and safeguard user data:

App Sandbox restricts what each app can do at the kernel level. Sandboxed apps can only access resources they have been explicitly granted permission to use. This limits the damage if an app is compromised.

Data Containers give each sandboxed app a dedicated storage directory under ~/Library/Containers/ (or ~/Library/Group Containers/ for shared data between apps from the same developer). The sandbox prevents other apps and processes, including non-sandboxed ones like Terminal and even root processes, from reading or writing files inside another app&rsquo;s container.

Transparency, Consent, and Control (TCC) requires explicit user consent before an app can access sensitive locations such as ~/Desktop, ~/Documents, and Photos. TCC prompts give users visibility and control over which apps access their data.

Example of how the macOS app sandbox and containers protect app data: Attempts to copy data from the Apple Notes data container fail, even with `sudo` and full read/write permissions.

In late September 2025, we discovered that Archive Utility could be used to bypass these protections. This post explains the exploit&rsquo;s basic building blocks and presents a minimal yet realistic proof-of-concept attack that requires no escalated privileges or special permissions, such as Full Disk Access. It only requires the user to:

Run a shell script in Terminal.

Drag and drop a specific file.

We considered this a serious vulnerability when we first discovered it because it bypassed all three protections with minimal user interaction. To get it to Apple as quickly as possible, we reported it before fully exploring its scope and as soon as we had a working proof-of-concept attack.

It did take Apple more than five months to fix the issue, from our initial report on October 17, 2025 to the release of macOS 26.4 on March 24, 2026 . Although it was longer than we would have liked, we&rsquo;re glad it&rsquo;s now...