New macOS Vulnerability Allows Attackers to Steal Private Files by Bypassing TCC

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that enables attackers to bypass Apple’s Transparency, Consent, and Control (TCC) framework, potentially exposing sensitive user data including files protected by privacy controls and information cached by Apple Intelligence.

Vulnerability Overview

The newly discovered vulnerability, dubbed “Sploitlight” by Microsoft researchers, exploits Spotlight plugins to access private files that TCC restrictions should normally protect.

Unlike previous TCC bypasses such as HM-Surf and powerdir, this vulnerability poses more severe risks due to its ability to extract sensitive information cached by Apple Intelligence, including precise geolocation data, photo and video metadata, facial recognition data, search history, and user preferences.

The vulnerability is particularly concerning because of its remote linking capability between iCloud accounts, meaning an attacker with access to one macOS device could potentially exploit the flaw to gather information from other devices linked to the same iCloud account.

The exploit leverages Spotlight importers, which are macOS bundles ending with a .mdimporter suffix designed to help index data for search functionality.

These plugins normally operate under heavy sandbox restrictions, only permitted to read the specific file being scanned.

However, Microsoft researchers discovered that attackers can manipulate these plugins to exfiltrate file contents by logging data to the unified log system.

The attack process involves modifying the bundle’s configuration files to declare target file types, copying the malicious bundle to the ~/Library/Spotlight directory, and using mdimport commands to scan and leak protected files.

Notably, the malicious bundle doesn’t require code signing, making the attack relatively straightforward to execute.

The vulnerability becomes particularly dangerous when targeting Apple Intelligence cache files stored in protected directories like the Pictures folder.

These database files contain highly sensitive information processed by Apple’s AI system, including detailed user behavior patterns and device usage data that could be exploited for surveillance or identity theft purposes.

Apple has released security updates for macOS Sequoia addressing this vulnerability as part of their March 31, 2025 security update.

The company worked collaboratively with Microsoft through their coordinated disclosure process to develop and deploy the necessary fixes.

Security experts strongly recommend that all macOS users apply the latest security updates immediately to protect against potential exploitation of this vulnerability.

Organizations should prioritize patching systems that handle sensitive data or have Apple Intelligence features enabled, as these environments face the highest risk from this attack vector.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!