8kSec

iOS Deep Link Attacks: In this blog we dive into identifying and exploiting vulnerabilities in iOS deep links. 🚨 Learn how to identify and exploit: ✅ DeepLink Phishing - Trick users into opening malicious links ✅ Insufficient URL Validation - Bypass security checks ✅ HTML Injection via DeepLink - Inject malicious code ✅ CSRF via DeepLink - Exploit trust in app-to-app communication 🔗 Read now: https://lnkd.in/dC3yTb7u  Follow 8kSec for more hands-on security content

Bypass NX on ARM64 and execute your shellcode using mprotect(). Check out the full blog here: https://lnkd.in/eAeAB_dq  Follow 8kSec for more practical security content

This blog breaks down how to find deep link attack surface in iOS apps, covering both URL Schemes and Universal Links with white-box and black-box techniques: https://lnkd.in/d7bAv-Mh Two link types, very different security properties [1] URL Schemes: custom protocols like 8ksec:// defined in Info.plist. Any app can register the same scheme. No ownership verification. [2] Universal Links: HTTPS URLs tied to your domain via apple-app-site-association. Apple's answer to the URL scheme free-for-all. Finding them without source code → Pull Info.plist with plutil for registered schemes → Run strings with regex against the binary to surface path structures → Hook [application:openURL:] with Frida to intercept deep links at runtime → Check /.well-known/apple-app-site-association for Universal Link paths The key takeaway: extracting the scheme alone isn't enough. The real attack surface lives in the paths, parameters, and handlers inside the binary. Follow 8kSec for more mobile security research.

This blog walks through building a ROP chain on ARM64 https://lnkd.in/eT2dPTHz The target binary has two functions: chain1 copies "nc -l 4000" into a buffer, chain2 calls system() to execute it. The goal: chain them via return-oriented programming. → Vulnerability: main() uses gets() on a 64-byte stack buffer, no bounds check. The binary leaks its own runtime address, enabling ASLR bypass. → ASLR slide: Subtract the static address (from Hopper) from the leaked runtime address: 0x102693d50 - 0x100007d50 = 0x268c000. Add this to every gadget address. → The chain: Jump to chain1's second instruction (we skip the prologue so it doesn't push a new frame). When chain1 returns, it pops the next address from the stack, which you control. Place chain2 there. Flow: overflow → chain1 (loads "nc -l 4000") → chain2 (system()) → netcat listener on port 4000. → Payload: 104 bytes of 0x41 padding to reach x30, then chain1's address in little-endian, then chain2's. Recalculated per execution since ASLR re-randomizes each launch. Keep learning with 8kSec. Follow us for more such content.

Our blog walks through exploiting a Use-After-Free to bypass authentication on ARM64: https://lnkd.in/ex_pxGZ7 The target is a binary called vuln with a login system. Reverse engineering it in Hopper reveals the user struct layout: 260 bytes, 256-byte username field followed by a 4-byte password field. The binary has a hidden reset command that frees the user struct without nullifying the pointer, leaving a dangling pointer. The exploit chain: - Create a user via username - Trigger reset to free the struct - Call customerChat, allocates new memory overlapping the freed struct's address space - Write "BBB" into the chat, lands where the password field was - Login with "BBB", authentication bypassed The freed memory gets reallocated for a different purpose, but the old pointer still references it. The application uses that dangling pointer for authentication, so the attacker controls what it reads. Follow 8kSec for more hands-on security content.

🌍 Earth Day Giveaway - Learn Mobile or AI Security For Free One beautiful planet we all share. A small thank-you to those learning with us. To celebrate Earth Day, we’re giving away 3 free seats to any 8kSec Academy course, winner’s choice: • Practical AI Security: Attacks, Defenses, and Applications • Practical Mobile Application Exploitation • Offensive Mobile Reversing and Exploitation • Offensive iOS Internals • Offensive Android Internals Browse the catalog → https://academy.8ksec.io How to enter: → Follow our page → Like this post → Repost it 🌟 Bonus: double your chances! 💬 Comment your favorite place on Earth you’ve visited or would like to visit 🌍, and we’ll count your entry twice 3 winners will be announced on April 27 on our social media. We’ll DM each winner to select their course.

How does a single tap on a link end in a fully compromised iPhone? Our new blog walks through DarkSword – the pure-JavaScript iOS exploit kit disclosed by Google's Threat Intelligence Group on March 19, 2026, and now being used in the wild by multiple commercial surveillance vendors and state actors. We focus on the browser exploit – the first three stages of DarkSword's six-CVE chain: Getting code running in Safari's renderer via a JavaScriptCore JIT bug: CVE-2025-43529 Defeating Pointer Authentication Codes (PAC) to turn arbitrary read/write into real native function calls: CVE-2026-20700 Pivoting out of the WebContent sandbox via an ANGLE/WebGL parameter-validation flaw: CVE-2025-14174 The post is written for readers who have never opened a browser-exploit writeup before. We explain what a renderer process is, why JIT compilers are exploit-prone, and why escaping the sandbox is the whole game. Read it → https://lnkd.in/dgmtF686 Stay updated with 8kSec for more blogs like this

Think AI threats start at the connection layer? Think again! We mapped the AI attack kill chain to MITRE ATLAS, 6 stages with an honest defense verdict at each one. Swipe through the carousel 👇 Two stages are undefendable by design: -> Reconnaissance looks identical to normal usage -> Resource development happens entirely offline Your strongest interception points are stages 4 and 5: -> Semantic anomaly detection on AI inputs -> Output controls + allow lists + human approval before sharing The insight that should change how you architect AI systems: traditional DLP won't catch AI-driven data exfiltration. Sensitive data can be exfiltrated through Slack, JIRA, Office 365, exactly where employees normally communicate. The content is the attack, not the connection. Bookmark this for your next AI architecture review or threat modeling session. Stay updated with 8kSec for more insights like this

This blog teaches ARM64 from zero, then walks you through a working heap overflow exploit: https://lnkd.in/enb9uaEC Why ARM64? Every modern iPhone and Android device runs on it. Reversing mobile binaries means reading ARM64 assembly. This is where you start! Architecture → RISC load/store model, all operations happen in registers, not memory → Two execution states: Aarch32 (32-bit) and Aarch64 (64-bit) → Four privilege levels: EL0 (userland) through EL3 (secure monitor) Registers you'll actually use → x0–x7: function arguments → x29: frame pointer → x30: link register (holds the return address, and the key to controlling execution flow) → x19–x28: callee-saved → PC, SP, CPSR Key opcodes → MOV - move between registers → LDR/STR - load and store → LDP/STP - paired load/store → ADR/ADRP - address calculation → CMP + BNE - compare and branch → BL/BLR - call with link → RET - return via x30 Each with concrete assembly examples, pre-indexing vs post-indexing, signed vs unsigned loads, syscall conventions. → The exploit: heap overflow → arbitrary command execution → Two adjacent 0x400-byte heap buffers: name and command → "whoami" is written into command → User-supplied file is read into name via fread() - no size check → Supply a file larger than 0x400 bytes, overflow spills into command → system(command) fires and executes whatever you planted there One python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt and you've replaced whoami with ls. Swap in a reverse shell and you own the device. Follow 8kSec for more deep dives into mobile security.

Offensive Mobile Reversing and Exploitation: join our 4-day live training at one of two locations. 🇺🇸 Las Vegas, USA · Black Hat USA · August 1-4 🔗 https://lnkd.in/dRQwbUnX  🇮🇹 Rome, Italy · RomHack · September 28 - October 1 🔗 https://lnkd.in/dEMgyJhP What you'll cover across 4 days: – ARM64 internals and mobile kernel architecture – iOS 26 mitigations: SPTM, TXM, PAC, PPL, MTE – Android kernel security: RKP, SELinux, Binder IPC – Static and dynamic analysis of iOS and Android binaries – Dynamic instrumentation with Frida — hooking, memory manipulation, network interception – Binary analysis with Ghidra and Hopper – Malware analysis: real-world crypto wallet stealers and accessibility malwares – AI-driven reversing with MCP servers – Exploit development for ARM platforms – Reverse engineer iOS and Android apps and binaries – Learn how to audit iOS and Android apps for security vulnerabilities Corellium access included throughout, real iOS and Android virtual devices, no physical hardware needed. You leave with exploit PoC code, vulnerable app source, and access to an ongoing support channel. 🎓 Includes the Certified Offensive Mobile Security Expert (OMSE) certification. ⚡ Limited seats at both locations.