Recently, @pwnsdx noticed that Blizzard’s Battle.net application modifies macOS' list of trusted X.509 certificates. Many applications use this information to decide whether a website or networked service should be trusted. As a result, modifying it is generally a bad idea. While researching this behavior with @pwnsdx, I discovered a user-assisted local privilege escalation (UALPE) vulnerability in the Battle.net installer. In this post, I would like to share how I discovered this issue, and outline some of the strategies that led me to it.