A important macOS vulnerability allows attackers to bypass Transparency, Consent, and Management (TCC) protections and steal delicate person knowledge, together with information from protected directories and Apple Intelligence caches.
The vulnerability, dubbed “Sploitlight,” exploits Highlight plugins to entry usually protected info with out person consent, posing important privateness dangers for macOS customers.
Key Takeaways1. The “Sploitlight” flaw let attackers steal delicate macOS knowledge.2. Attackers might entry non-public information throughout units linked to the identical iCloud account.3. Apple fastened the difficulty (CVE-2025-31199) in March 2025
Highlight Plugin Exploitation Mechanism
Microsoft Menace Intelligence studies that the vulnerability leverages Highlight importers – plugins with .mdimporter extensions that assist index system content material for search performance.
These plugins function by the mds daemon and mdworker duties, which possess privileged entry to delicate information for indexing functions.
Nonetheless, researchers found that attackers can manipulate these plugins to exfiltrate protected knowledge.
The assault course of entails modifying a plugin’s Information.plist and schema.xml information to declare goal file varieties in UTI (Uniform Kind Identifier) format.
Attackers can then copy the unsigned bundle to the ~/Library/Highlight listing and use instructions like mdimport -r to power Highlight to load the malicious plugin.
The exploit logs file contents to the unified log in chunks, permitting extraction of delicate knowledge by the log utility.
Notably, the calling utility doesn’t require TCC permissions because the indexing is carried out by the mdworker process, successfully bypassing Apple’s safety framework.
Leaking the scanned file’s contents through logging
The uttype utility can decide file varieties even with out TCC entry, making the assault extra versatile.
The vulnerability’s implications lengthen past primary file entry, significantly affecting Apple Intelligence caches saved in protected directories like Footage.
Attackers can extract extremely delicate info from databases equivalent to Photographs.sqlite, together with exact GPS coordinates, face recognition knowledge, photograph metadata, search historical past, and person preferences.
TCC Bypass Exfiltration
The breach turns into extra regarding as a consequence of iCloud account linking, the place attackers accessing one macOS gadget can probably collect details about different units related to the identical iCloud account. This contains face tagging and metadata that propagates throughout Apple units.
Apple addressed this vulnerability, now tracked as CVE-2025-31199, in safety updates for macOS Sequoia launched on March 31, 2025.
Microsoft Defender for Endpoint has enhanced its detection capabilities to determine suspicious .mdimporter bundle installations and anomalous indexing of delicate directories.
Customers are strongly suggested to use Apple’s safety updates instantly to guard towards this TCC bypass vulnerability, which represents a big menace to person privateness and knowledge safety.
Expertise quicker, extra correct phishing detection and enhanced safety for your small business with real-time sandbox analysis-> Attempt ANY.RUN now
