Microsoft researchers have discovered a critical security flaw within Apple’s macOS that could allow attackers to bypass core privacy protections and access sensitive user data. The vulnerability, identified as CVE-2025-31199, targets the Transparency, Consent, and Control (TCC) framework, a system designed to prevent unauthorized access to private information. By exploiting the system’s own search functionality, an attacker could steal data from protected directories, including Apple Intelligence caches.
The “Sploitlight” Exploit
The exploit, which the Microsoft team dubbed “Sploitlight,” cleverly weaponizes the macOS Spotlight search tool. Spotlight uses plugins called .mdimporters to index files across the system. While these plugins run in a restricted sandbox, they are granted privileged access to read the files they are indexing. The researchers found they could create a custom, unsigned plugin and manipulate its metadata to force Spotlight to load it. This gave their malicious code the ability to read the contents of any file being indexed, effectively sidestepping the TCC permissions that would normally block such an action.
The implications of this bypass are particularly alarming due to the rise of Apple Intelligence. The Sploitlight exploit could access sensitive cache files like Photos.sqlite, which store a treasure trove of personal information. This data includes not just photo metadata but also GPS locations, timestamps, facial recognition data, user activity history, and details from shared albums. Even metadata from deleted media can remain in these files. Researchers warned that other AI-generated data, such as email summaries or notes, could also be exposed.
iCloud and Cross-Device Risks
The potential for data exposure extends beyond a single compromised Mac. Because much of this sensitive metadata syncs via iCloud, an attacker could gain insights into a user’s activity on all their linked Apple devices. By accessing the synced photos.db file on a Mac, for instance, an attacker could learn about photos taken on a user’s iPhone, including where and when they were taken. This cross-device linkage dramatically expands the scope of the privacy breach, allowing for a more comprehensive profile of the user to be built.
Apple’s Patch and Ongoing Vigilance
In response to Microsoft’s findings, Apple patched the vulnerability in the macOS Sequoia 15.4 update, which improves data redaction and strengthens how Spotlight handles plugins. This discovery highlights the continuous need for security auditing, even in well-established operating systems. It came just months after Microsoft found another TCC bypass, ‘HM Surf’ (CVE-2024-44133), which specifically targeted Safari to access Browse history, camera, and microphone data without consent. These findings underscore that protecting user privacy is an ongoing battle requiring constant vigilance from both platform creators and security researchers.
Reference:
