Microsoft Discovers macOS Vulnerability Allowing Attackers to Bypass TCC Protections and Expose Sensitive Data
TL;DR
Microsoft Threat Intelligence researchers uncovered a macOS vulnerability that allows attackers to bypass Transparency, Consent, and Control (TCC) protections, potentially exposing sensitive user data. This flaw, patched by Apple in March 2025, highlights the importance of proactive security measures in safeguarding user privacy.
Microsoft Uncovers macOS Vulnerability Allowing Attackers to Bypass TCC Protections and Expose Sensitive Data
Microsoft Threat Intelligence researchers have identified a significant macOS vulnerability that permits attackers to circumvent Transparency, Consent, and Control (TCC) protections, thereby accessing private data from protected areas such as Downloads and Apple Intelligence caches. This discovery underscores the critical need for robust security measures to safeguard user privacy.
Understanding the Vulnerability
The vulnerability, tracked as CVE-2025-31199, was patched by Apple in March with the release of macOS Sequoia 15.4. This flaw allows attackers to exploit Spotlight, a macOS search tool, using custom plugins to bypass TCC protections and read sensitive files.
Spotlight and the Exploit
Spotlight utilizes plugins called .mdimporters to index files, which run in sandboxed processes but have privileged file access. Microsoft researchers discovered that attackers could exploit this by creating a custom Spotlight plugin. By modifying an unsigned plugin’s metadata and forcing Spotlight to load it, an attacker could log private file contents without needing TCC permissions.
Sploitlight: Proof of Concept
The researchers developed a proof-of-concept tool named “Sploitlight” to demonstrate this vulnerability. Apple addressed the flaw by improving data redaction and plugin handling in macOS 15.4.
Implications and Risks
This vulnerability allows attackers to access Apple Intelligence cache files, such as Photos.sqlite and photos.db, stored in the Pictures directory. These files contain sensitive data, including GPS locations, timestamps, device info, face recognition data, activity history, and shared album details. Attackers can also access deleted media metadata and AI-generated labels.
Further Concerns
The ability to exfiltrate private data from protected directories, such as the Downloads folder and Apple Intelligence caches, is particularly alarming due to the highly sensitive nature of the information that can be extracted, including geolocation data, media metadata, and user activities. The implications of this vulnerability are even more extensive given the remote linking capability between devices using the same iCloud account, enabling attackers to determine more remote information about a user through their linked devices.
Previous Vulnerabilities
In October 2024, Microsoft discovered another vulnerability, tracked as CVE-2024-44133 and code-named ‘HM Surf’, in Apple’s Transparency, Consent, and Control (TCC) framework in macOS. This flaw could allow attackers to bypass privacy settings and access user data, including browsing history, camera, microphone, and location without consent.
Conclusion
The discovery of these vulnerabilities highlights the importance of proactive security measures in safeguarding user privacy. Understanding the implications of TCC bypass vulnerabilities is essential for building proactive defenses that protect user data from unauthorized access.
For more details, visit the full article: source
Additional Resources
For further insights, check: