Apple blocks exploit that leaked Apple Intelligence & synced iPhone data

Jump to First Reply
AppleInsiderAppleInsider
Posted:
in macOS

Apple has patched a serious macOS vulnerability that could have let attackers secretly access files protected by user privacy settings, including sensitive data tied to Apple Intelligence.

Open laptop on a white table displaying video editing software with people standing in the blurred background.
Install the latest macOS security update



Microsoft's security team discovered the flaw and published their findings on July 28. The exploit, which they named "Sploitlight," used Spotlight plugins to bypass macOS's Transparency, Consent, and Control (TCC) protections.

These controls are supposed to prevent apps from accessing personal data like location, photos, and downloads without user permission.

The bug enabled attackers to scan and leak protected file contents, such as photo metadata, GPS history, and Apple Intelligence cache files. Since iCloud syncs this data across devices, access to one Mac could reveal information from a user's iPhone or iPad.

Microsoft reported the issue to Apple earlier in 2025. Apple fixed it on March 31 in a security update for macOS Sequoia, tracked as CVE-2025-31199 in a database of known security flaws.

What made Sploitlight dangerous



Spotlight is built into every Mac and helps users quickly find files by indexing them in the background. To do that, it relies on small tools called Spotlight importers. These plugins are designed to scan specific file types and feed metadata back to the system.

Normally, they run in a sandbox and aren't allowed to access anything beyond the file being scanned. Microsoft's team found a way around those restrictions.

By creating or modifying a plugin, attackers could log a file's contents and then read it back using system logs. The plugin didn't need to be signed or run with elevated privileges.

It could be placed in a user folder and activated using standard macOS tools. Once running, the plugin could scan files in TCC-protected locations, including the Downloads, Desktop, and Pictures folders.

That gave attackers access to private images, video metadata, and even face recognition tags. If the user had Apple Intelligence enabled, they could also leak cached content like note summaries and search preferences.

How to stay safe



If you're using a Mac, install the latest macOS security update as soon as possible. The fix for this issue is included in the March 31, 2025, update for macOS Sequoia. Even if you haven't noticed anything unusual, it's a good idea to keep your system up to date.

Avoid installing unfamiliar Spotlight plugins or unsigned software, especially if it requests access to system folders. Monitor background processes and use security tools to detect suspicious behavior.

Finally, remember that syncing across iCloud can increase your exposure. One compromised device might give attackers insight into others, so secure every Mac, iPhone, and iPad tied to your account.



Read on AppleInsider

Sign In or Register to comment.