Microsoft has reported that attackers could have exploited a recently patched vulnerability bypassing Transparency, Consent, and Control (TCC) to steal confidential information from macOS users, including cached Apple Intelligence data.
TCC is a security mechanism and framework in macOS that blocks applications from accessing users’ personal data, giving macOS control over how information is accessed and used by applications across all Apple devices. TCC is responsible for requesting permissions to run new applications and displaying warnings if an application tries to access sensitive data (including contacts, photos, webcams, and so on).
The vulnerability, identified as CVE-2025-31199 and discovered by Microsoft specialists, was patched in March 2025 with the release of updates for macOS Sequoia 15.4.
The issue was that although Apple restricts TCC access to applications with full disk access and automatically blocks unauthorized code execution, Microsoft researchers found that attackers could exploit the privileged access of Spotlight plugins to gain access to sensitive files and steal their contents.
In the recently published report, Microsoft experts demonstrated that the vulnerability (which they named Sploitlight) could have been used to collect data, including Apple Intelligence information and remote information about other devices associated with an iCloud account.
This way, attackers could gain access to photo and video metadata, geolocation data, face and people recognition data, user activity information, photo albums and shared libraries, search history and user preferences, as well as deleted photos and videos.
“While this issue is similar to previous TCC bypasses, including HM-Surf and powerdir, the implications of this vulnerability, which we have named Sploitlight (due to the exploitation of Spotlight plugins), are more severe as it allows for the extraction and theft of confidential information cached by Apple Intelligence. For instance: precise geolocation data, photo and video metadata, facial recognition data, search history, and much more,” explained Microsoft. “The risks are further compounded and intensified by the possibility of remotely linking iCloud accounts. This means that an attacker with access to a macOS user’s device can exploit the vulnerability to obtain remote information about other devices associated with the same iCloud account.”
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →