Microsoft Discovers macOS Flaw That Leaks Apple Intelligence Data

Microsoft researchers have unveiled Sploitlight, a practical technique for bypassing macOS’s TCC protections by abusing Spotlight plugins—an exploit that can siphon data from protected databases, including those that feed Apple Intelligence features.

The study hinges on an old yet still functional behavior: Spotlight plugins are permitted to access TCC-protected files for the purpose of indexing. Although a plugin executes in a constrained environment, it nevertheless inherits the right to read any files Spotlight has been instructed to process.

The authors demonstrate that the sandbox’s exfiltration constraints can be circumvented via Darwin system notifications. When a notification cannot carry payloads, its name is repurposed as a byte channel: the plugin emits a sequence of notifications whose names encode byte values (0–255), while an external listener collects these events and reconstructs the file’s contents.

A proof of concept was executed on macOS Tahoe and comprises two Xcode projects—a plugin and a listener. In tests the target was knowledgeC.db, a database storing telemetry and behavioral data; the plugin succeeded in reading and relaying the file’s initial bytes, despite direct access from a normal process being prohibited. Similar bypasses have been documented previously and addressed by fixes such as CVE-2024-54533 and the more recent CVE-2025-31199.

The researchers note important limitations: installing a plugin requires local privileges; the notification channel is extremely narrowband and unsuited to exfiltrating gigabytes in real time; some files are not indexed or already have immutable handlers; and while modern systems surface an installation prompt to the user, the process responsible for rendering that prompt can itself be suspended by an attacker.

The practical takeaway is clear: Spotlight remains a valuable yet potentially perilous subsystem of macOS—its extensibility brings tangible benefits but also opens covert channels. Recommended mitigations include tightening plugin installation policies, enforcing explicit user consent before registration, and redesigning interprocess notification mechanisms so that event names cannot be abused as covert data conduits. These proposals have already surfaced in community discussions, and the new findings—presented in follow-up research and conference talks—add urgency to architectural reforms of the indexing service.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy