Microsoft Threat Intelligence has discovered a Spotlight-related vulnerability that could allow bad actors to steal private file data, according to a blog post today. Microsoft’s threat team has dubbed it “Sploitlight” because it uses Spotlight plugins.
Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.
TCC is a protective measure designed to block apps from accessing personal information without a user’s consent. While Spotlight plugins that allow app files to appear in Spotlight searches are sandboxed and restricted from being able to access sensitive files, Microsoft researchers discovered a way around that by tweaking the app bundles that Spotlight pulls in, leaking file contents.
As far as anyone knows, the vulnerability was never exploited in the wild, as Microsoft immediately shared the details of the flaw with Apple, which delivered a fix for it in macOS 15.4 iOS 18.4, and iPadOS 18.4 on March 31.
For additional information about the exploit, visit the Microsoft Security blog.
