It's scarcely necessary to "exploit" an operating system which essentially lacks any security model. If you are code running on Haiku, you have better than superuser privileges. Such code can (while the mere user cannot) do stuff like alter the internals of "read-only" system software, blow up the operating system internals or scribble all over the raw disk.
Back in the day Haiku didn't do the hostname check in its TLS code. Browser, command line tools, package updates, everything just ignored hostnames - so it would have apparently secure HTTPS fetches, but under the hood if you can interpose and hand Haiku a certificate you got for say your personal blog from Let's Encrypt, that checks out fine even though the name doesn't match - so you could impersonate Haiku's update servers. They did, after many years, fix that particular issue, but lots of similar bugs remain, you're primarily hoping nobody tries anything.
> Such code can (while the mere user cannot) do stuff like alter the internals of "read-only" system software, blow up the operating system internals or scribble all over the raw disk.
Who cares. OS stuff is easy to replace. The real problem is that it can also destroy any user data... just like every binary on Linux or Windows.
I 100% agree with you. Who cares about protecting the OS (which can easily be restored), it’s my personal documents / pictures which are valuable. Sadly any rogue app (which runs in the “protected” systems) can destroy those “user access” documents. *nix/Win10/Mac doesnt protect against those apps.
The real problem is the OS is fundamentally compromised and your data is at risk of leaking. If you work with data covered by the GDPR that's a no go. Also, I'd not risk logging into my banks website on such an OS.
Back in the day Haiku didn't do the hostname check in its TLS code. Browser, command line tools, package updates, everything just ignored hostnames - so it would have apparently secure HTTPS fetches, but under the hood if you can interpose and hand Haiku a certificate you got for say your personal blog from Let's Encrypt, that checks out fine even though the name doesn't match - so you could impersonate Haiku's update servers. They did, after many years, fix that particular issue, but lots of similar bugs remain, you're primarily hoping nobody tries anything.