This post details an active vulnerability chain on iOS 18.6.2 involving malformed Siri Shortcuts that persist in the background, abuse system daemons, and tolerate TLS trust mismatches. Full report with logs and CVSS scoring available on GitHub. Reproducible in production
Readit NewsFluGameAce007 commented on · Posted by u/FluGameAce007
FluGameAce007 commented on · Posted by u/FluGameAce007
A forensic analysis of iOS 18.6 reveals a silent data exfiltration sequence initiated entirely by Apple system daemons — no app involved, no permission prompt, no UI indicator.
In a ~3-second window, nsurlsessiond and symptomsd transferred ~5MB of data over the network. This activity is not tied to any userland app, does not trigger any TCC prompt, and cannot be viewed or controlled in iOS privacy settings.
Sequence of events:
tccd preflights access to Reminders (TCC-protected) with no app context
abm-helper, CommCenterRootHelper, and cfprefsd coordinate via Mach/XPC
sosd attempts to write to a sensitive communications safety plist
nsurlsessiond purges its cache
symptomsd logs 5MB+ of RX/TX traffic — with no app running
There is:
No telemetry toggle
No EDR/MDM visibility
No disclosure from Apple
This breaks the app-based sandbox and represents:
A system-native stealth exfil pipeline
Cross-daemon privilege chaining
A real privacy and compliance blind spot
FluGameAce007 commented on iOS 18.5 Bluetooth Privacy Vulnerabilities github.com/JGoyd/iOS-18.5... · Posted by u/FluGameAce007
What is this report supposed to show? System level Daemons have low level access or iPhone, unlocked and having trusted the hardware I assume, can be made to reveal data? This reads like someone asked AI about debugging iPhone using their laptop, dug into some system daemons and wrote up a report acting like sky is falling when it's expected behavior. UID 0 can bypass file permissions, alert kernel developers!
Real question is, can other iOS applications trigger this data leaking behavior or can untrusted MacOS devices do this as well?
"Preflight=yes" bypassing user prompts is not expected or documented behavior... period.
The fact that internal system daemons can silently trigger access to TCC-protected domains (like Contacts, FaceID, Microphone, and Bluetooth) without app association or user consent breaks Apple’s own stated privacy model.
FluGameAce007 commented on iOS 18.5 Bluetooth Privacy Vulnerabilities github.com/JGoyd/iOS-18.5... · Posted by u/FluGameAce007
From what I've seen lately, you're the only person who thinks it is surprising that an iphone sometimes turns on the Bluetooth radio.
What is surprising is that it's accessing my camera, contact list and my mic...
FluGameAce007 commented on iOS 18.5 Bluetooth Privacy Vulnerabilities github.com/JGoyd/iOS-18.5... · Posted by u/FluGameAce007
Using only Apple’s official diagnostic tools (Console.app) on a clean, non-jailbroken iPhone 14 Pro Max, the following issues were observed:
System daemons silently initiate Bluetooth Low Energy (BLE) scans without app activity or user interaction.
GPS location harvesting occurs with no prompts, indicators, or active apps.
Internal frameworks bypass Apple’s Transparency, Consent, and Control (TCC) protections using undocumented flags.
Bluetooth trust metadata (e.g., IRKs, pairing history) is exposed even when devices are disconnected.
Cryptographic failures are silently ignored during trust operations.
These behaviors suggest an integrated telemetry pipeline that operates beneath iOS’s user-facing privacy model. The full report includes logs, technical breakdowns, and reproduction steps.
This violates Apple’s hardware trust model and exposes internal diagnostics meant for development silicon.