Microsoft has detailed a serious macOS vulnerability that could allow malicious apps to bypass system privacy protections. Dubbed “SploitLight,” the flaw exploited how Spotlight indexes plugin data to access sensitive files and Apple Intelligence metadata. Apple addressed the issue in macOS in March, but users on older versions could be at risk.
Microsoft alerted Apple to the exploit upon discovery, leading to its fix in macOS earlier this year. From Microsoft’s security blog:
Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.
Now that the fix has been out for a few months, Microsoft is revealing the “SploitLight” exploit it discovered. Here’s a summary of what happened:
Exploit targeted macOS’s Spotlight search and its metadata indexing process.
Malicious apps dropped specially crafted plugins in user-writable directories.
Spotlight would index these plugins, triggering execution without user interaction.
This allowed access to protected locations like Downloads and Safari data.
Apple Intelligence cache metadata could also be read due to weak TCC enforcement.
Exploit bypassed Transparency, Consent, and Control (TCC) protections by design flaw.
... continue reading