Microsoft Researchers Discover TCC Vulnerability in Apple's Spotlight: Risk of Data Leak

Recent findings by researchers from Microsoft have uncovered a significant vulnerability within Apple's TCC (Transparency, Consent, and Control) framework, specifically related to the Spotlight search functionality. This vulnerability, dubbed 'Sploitlight,' poses a risk of sensitive data exposure, including location information, metadata, and facial recognition data.

The TCC framework is designed to protect macOS users by regulating app access to personal information, requiring user consent before any data retrieval. However, flaws within this system have been consistently reported, and the latest exploit highlights how attackers could bypass these safeguards. Utilizing the built-in Spotlight search, attackers can manipulate Spotlight plugins to exploit weaknesses, enabling unauthorized access to cached data managed by Apple's AI system, Apple Intelligence.

Microsoft's investigation revealed that with the right knowledge, it is possible to access various file types through typical Spotlight functions, such as the command-line tool 'mdfind.' The vulnerability is exacerbated by the fact that the plugins involved are unsanctioned, making them easier to deploy than standard applications.

Additionally, the researchers demonstrated the ability to extract information from photo albums and shared albums, track user activities related to photos, and identify which photos and videos had been deleted. The misuse of the image classifier, which determines the content of images, further complicates the issue.

Some of the data leaks identified by Microsoft appear to necessitate active engagement from Apple Intelligence, while others do not. The researchers have indicated that it may also be feasible to access other cache files, including those associated with integrated services like ChatGPT or email summaries.

Furthermore, the vulnerability reportedly impacts not just macOS systems but may also extend to iPhones. Microsoft suggested that it is conceivable for data synchronized from a Mac to be intercepted. Apple has addressed several vulnerabilities in iOS 18.4, which are pertinent to this issue, and it is crucial for users to update their systems promptly. The latest versions available are macOS 15.5 and iOS 18.5.

In a recent blog post, Microsoft refrained from specifying which particular Apple Intelligence caches were compromised. The examples provided by the company indicate that the accessed data could be available even without Apple Intelligence being active. Further inquiries with one of the security researchers are underway, and updates will be provided as more information becomes available.