April 6, 2026
Held power, opened Pandora’s Mac
Root Persistence via macOS Recovery Mode Safari
Safari in Mac recovery lets you save to your disk—'non‑issue' vs 'yikes'
TLDR: A researcher found Safari in Mac’s recovery screen could save files to the main drive—serious if disk encryption (FileVault) is off—and a second bug let files be read. Apple pointed to FileVault, sparking a split between “expected behavior” and “unsafe for regular users,” with commenters urging encryption on.
Accidental discovery or Pandora’s Mac? Researcher Yaseen Ghanem says Safari in macOS Recovery Mode—that special “help me, my Mac is broken” screen—let him save files straight onto the main drive without a password, potentially enabling deep, persistent hacks. There’s also a separate bug that let files be read freely. Full nerd write‑ups are here and here.
But the comments? Flaming. One camp shrugs: if you can boot the machine, of course you can touch unencrypted files—“what’s strange about this?” One skeptic even sniffed, “smells of GenAI”, implying the post was hype. On the other side, Ghanem fires back with receipts: he reported both to Apple in 2025; Apple closed the reports citing FileVault (Apple’s disk encryption) as a fix. He warns FileVault is opt‑in, and many people switch it off without realizing the risk. Translation: average users could be wide open.
Cue memes: “Hold power too long, unlock Narnia,” and “save an apple in Safari, save Apple.” The clash boils down to responsibility: security pros say this is expected if encryption’s off; everyday users say don’t let Recovery write to my disk without a password. Between “nothingburger” and “nightmare fuel,” the only thing everyone agrees on: turn on FileVault—and maybe don’t test your luck in Recovery Mode unless you’re wearing flameproof gloves.
Key Points
- •Two Safari vulnerabilities were found in macOS Recovery Mode: arbitrary writes enabling root persistence (CVSS 8.5) and unrestricted file reads (CVSS 4.6).
- •The write vulnerability affects macOS Sequoia and older; the read vulnerability affects macOS Tahoe.
- •In Recovery Mode, connecting to Wi‑Fi and using Safari is allowed, enabling access to arbitrary websites.
- •Changing Safari’s download setting to “Ask for each download” allowed saving files to mounted volumes, including “Macintosh HD,” enabling persistent writes without authentication.
- •Safari’s content sniffing forced ambiguous downloads to .txt, limiting certain exploit approaches; detailed exploitation is in linked technical write-ups.