Microsoft Exposes macOS Sploitlight Flaw Leaking Apple Data
▼ Summary
– A patched macOS vulnerability (CVE-2025-31199) allowed attackers to bypass TCC security checks and steal sensitive data, including Apple Intelligence cached information.
– TCC is a macOS privacy framework that restricts apps from accessing private user data without permission.
– Attackers exploited Spotlight plugins’ privileged access to harvest data like geolocation, photo metadata, and search history, as detailed in Microsoft’s “Sploitlight” report.
– Apple has previously patched other TCC bypasses, including exploits involving Time Machine mounts and environment variable poisoning.
– Microsoft researchers have uncovered multiple macOS vulnerabilities, including SIP bypasses like “Shrootless” and “Migraine,” enabling malware installation or kernel driver deployment.
A newly discovered macOS vulnerability allowed attackers to bypass critical privacy protections and access sensitive user data, including cached Apple Intelligence information. The flaw, now patched by Apple, exploited weaknesses in the system’s Transparency, Consent, and Control (TCC) framework, a core security feature designed to prevent unauthorized access to private files.
Security researchers from Microsoft identified the issue, tracked as CVE-2025-31199, which they named Sploitlight due to its exploitation of Spotlight plugins. While Apple restricts TCC access to apps with full disk permissions, the researchers found that attackers could leverage privileged plugin functions to extract protected data. This included photo metadata, geolocation details, facial recognition data, search history, and even deleted media, posing significant privacy risks.
Apple addressed the flaw in macOS Sequoia 15.4 with improved data redaction measures. However, the implications were severe, as the vulnerability could also expose information from other devices linked to the same iCloud account. Microsoft emphasized that Sploitlight’s impact surpassed previous TCC bypasses like HM-Surf and powerdir, given its ability to harvest extensive personal data cached by Apple Intelligence.
This isn’t the first time macOS security has been compromised through TCC bypasses. Past vulnerabilities, such as CVE-2020-9771 (Time Machine mounts) and CVE-2021-30713 (bundle conclusion issues), similarly allowed unauthorized data access. Microsoft’s team has a history of uncovering critical macOS flaws, including Shrootless (CVE-2021-30892), which enabled rootkit installations, and Migraine (CVE-2023-32369), a System Integrity Protection (SIP) bypass.
The discovery highlights ongoing challenges in securing macOS against sophisticated exploits. With attackers continually refining their methods, Apple’s rapid response to patch Sploitlight underscores the importance of timely updates. Users are advised to ensure their systems are running the latest macOS version to mitigate such threats.
Beyond Sploitlight, Microsoft’s researchers have exposed other high-risk vulnerabilities, including Achilles (CVE-2022-42821), which bypassed Gatekeeper protections, and a recent SIP bypass (CVE-2024-44243) permitting malicious kernel driver installations. These findings reinforce the need for robust security measures across all platforms, as even tightly controlled ecosystems like macOS remain vulnerable to determined attackers.
(Source: Bleeping Computer)