Microsoft has reported that attackers could have exploited a recently patched vulnerability bypassing Transparency, Consent, and Control (TCC) to steal confidential information from macOS users, including cached Apple Intelligence data.
TCC is a security mechanism and framework in macOS that blocks applications from accessing users’ personal data, giving macOS control over how information is accessed and used by applications across all Apple devices. TCC is responsible for requesting permissions to run new applications and displaying warnings if an application tries to access sensitive data (including contacts, photos, webcams, and so on).
The vulnerability, identified as CVE-2025-31199 and discovered by Microsoft specialists, was patched in March 2025 with the release of updates for macOS Sequoia 15.4.
The issue was that although Apple restricts TCC access to applications with full disk access and automatically blocks unauthorized code execution, Microsoft researchers found that attackers could exploit the privileged access of Spotlight plugins to gain access to sensitive files and steal their contents.
In the recently published report, Microsoft experts demonstrated that the vulnerability (which they named Sploitlight) could have been used to collect data, including Apple Intelligence information and remote information about other devices associated with an iCloud account.
This way, attackers could gain access to photo and video metadata, geolocation data, face and people recognition data, user activity information, photo albums and shared libraries, search history and user preferences, as well as deleted photos and videos.
“While this issue is similar to previous TCC bypasses, including HM-Surf and powerdir, the implications of this vulnerability, which we have named Sploitlight (due to the exploitation of Spotlight plugins), are more severe as it allows for the extraction and theft of confidential information cached by Apple Intelligence. For instance: precise geolocation data, photo and video metadata, facial recognition data, search history, and much more,” explained Microsoft. “The risks are further compounded and intensified by the possibility of remotely linking iCloud accounts. This means that an attacker with access to a macOS user’s device can exploit the vulnerability to obtain remote information about other devices associated with the same iCloud account.”
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →