Microsoft Threat Intelligence identified a Spotlight-related vulnerability, dubbed “Sploitlight,” a Transparency, Consent, and Control (TCC) bypass capable of leaking sensitive data cached by Apple Intelligence.
This vulnerability, detailed in a Microsoft blog post, leveraged Spotlight plugins to potentially expose private file data. TCC mechanisms are designed to prevent applications from accessing personal information without explicit user consent. The “Sploitlight” exploit circumvented these controls, allowing for unauthorized access to sensitive user data.
Attackers could have acquired precise location data, metadata from photos and videos, face recognition data from the Photo Library, user search histories, AI email summaries, and user preferences. Despite Apple’s sandboxing of Spotlight plugins, which typically restrict access to sensitive files, Microsoft researchers discovered a method to manipulate app bundles pulled by Spotlight, leading to the leakage of file contents.
Shuyal malware is stealing data from 19 different browsers
Microsoft communicated the bypass details to Apple. Apple subsequently addressed the vulnerability in macOS 15.4 and iOS 15.4, updates released on March 31. The vulnerability was not actively exploited prior to its disclosure and resolution. Apple’s security support documentation for the update indicated that the problem was resolved through improved data redaction. Concurrently, Apple addressed two other vulnerabilities, also credited to Microsoft, by enhancing symlink validation and improving state management. Comprehensive information regarding the exploit’s mechanics is available on Microsoft’s official website.
