A vulnerability in macOS may have allowed attackers to bypass Apple’s Transparency, Consent, and Management (TCC) protections and entry delicate data, Microsoft says.
Tracked as CVE-2025-31199 and described as a logging situation, the flaw was addressed in March 2025 with the discharge of macOS Sequoia 15.4, iOS 18.4 and iPadOS 18.4, and visionOS 2.4.
“An app might be able to entry delicate person information. A logging situation was addressed with improved information redaction,” Apple’s advisory explains.
Microsoft, which reported the safety defect, constructed a proof-of-concept (PoC) exploit named Sploitlight to show how Highlight plugins, that are referred to as importers, can be utilized to leak delicate person data and file contents.
Highlight is a built-in utility in macOS that helps customers rapidly discover content material on a tool by indexing it. The applying depends on importers for additional indexing, consuming information from index information saved domestically.
Apple’s TCC know-how is supposed to stop functions from accessing a person’s private data, reminiscent of their Downloads and Photos directories, location providers, digicam, and microphone, with out their consent.
“The one legit methodology for an utility to achieve entry to those providers is thru person approval through a popup immediate throughout the person interface or by granting per-app entry within the working system’s settings,” Microsoft explains.
Highlight plugins, which have privileged entry to delicate information, are ruled by heavy restrictions, however Microsoft found that they may very well be abused to exfiltrate the contents of well-defined file sorts, in addition to different delicate data.Commercial. Scroll to proceed studying.
“On trendy macOS methods, Highlight plugins are usually not even permitted to learn or write any file apart from the one being scanned. Nevertheless, we’ve got concluded that that is inadequate, as there are a number of methods for attackers to exfiltrate the file’s contents,” Microsoft explains.
An attacker with entry to a tool, Microsoft says, wants to switch the Highlight plugins’ information declaring the file sorts to be processed, copy the modified bundle to the ~/Library/Highlight listing, pressure Highlight to make use of it, recursively scan information beneath the outlined path and leak them, after which use the log utility to learn the information’ contents.
Moreover, the tech large explains, the safety defect will be exploited to leak information that Apple Intelligence caches beneath numerous directories, such because the Photos folder (the place the information are protected by the ‘Photos’ TCC service sort).
An attacker may abuse the flaw to leak exact geolocation information, photograph and video metadata, face and different recognition information, person exercise and occasion context, photograph albums and shared libraries, metadata of just lately deleted gadgets, picture classification and object detection, and search historical past and person preferences.
Based on Microsoft, an attacker may additionally extract distant data of different Apple gadgets that share the identical iCloud account related to the macOS system that the attacker has entry to.
“The implications of this vulnerability are much more in depth given the distant linking functionality between gadgets utilizing the identical iCloud account, enabling attackers to find out extra distant details about a person via their linked gadgets,” Microsoft notes.
Associated: Apple Patches Main Safety Flaws in iOS, macOS Platforms
Associated: Apple Quashes Two Zero-Days With iOS, macOS Patches
Associated: Apple Patches Latest Zero-Days in Older iPhones
Associated: AirPlay Vulnerabilities Expose Apple Gadgets to Zero-Click on Takeover
