Microsoft researchers find TCC gap in Apple's Spotlight: data leak imminent
The "Sploitlight" exploit is designed to access sensitive data via Apple Intelligence, among other things. The bug has been fixed and also affects the iPhone.
macOS Spotlight, here already in the upcoming macOS 26.
(Image: Apple)
The TCC (Transparency, Consent and Control) area is always a problem child for Apple: the technology is actually intended to protect macOS from data outflows to apps that the user does not want. However, bugs in this consent and verification framework keep cropping up – often through the back door. One example is a recent bug discovered by security researchers at Microsoft. The gap, called Sploitlight, uses Apple's own Spotlight search function, including errors in Apple Intelligence, to access sensitive data, including location data, meta-information and even facial recognition information. Fortunately, Apple already fixed the bug with macOS 15.4 at the end of March.
No trust in TCC
TCC is actually supposed to ensure that personal information cannot be accessed without user approval. To do this, Apple uses a broad sandboxing – so broadly that the many requests even annoy many users. As part of Sploitlight, Microsoft has now shown that it is possible to access data stored in the cache of Apple's AI system Apple Intelligence. To do this, the researchers manipulated Spotlight plugins in such a way that they were able to create a TCC bypass using standard Spotlight functions such as mdfind (Spotlight on the command line). An attacker must know which file types he or she wants to read. The plugins are even unsigned, so they are much easier for attackers to execute than "normal" apps.
Videos by heise
Microsoft also managed to read photo albums and shared albums, track user activity in the Photos section, view which photos and videos have been deleted and abuse the image classifier, which determines what an image shows.
Intelligence cleverly exploited
Some of the leaks require active Apple Intelligence, others apparently do not. According to Microsoft, it would also be possible to read other cache files, including those from ChatGPT (which is integrated into Apple Intelligence) or email summaries.
Apparently, the iPhone is also partially affected by the vulnerability. Microsoft suggests that it is possible to access synchronized data from a Mac. Apple has patched several gaps in iOS 18.4 that match this. Microsoft provided a total of three bug reports for macOS 15.4 and iOS 18.4, including a bug in the context of checking symlinks and a "state management" error. Users should urgently update their system to the latest version. macOS 15.5 and iOS 18.5 are the latest versions.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
