Attackers may use a not too long ago patched macOS vulnerability to bypass Transparency, Consent, and Management (TCC) security checks and steal delicate consumer data, together with Apple Intelligence cached information.
TCC is a security know-how and a privateness framework that blocks apps from accessing non-public consumer information by offering macOS management over how their information is accessed and utilized by functions throughout Apple units.
Apple has mounted the security flaw tracked as CVE-2025-31199 (reported by Microsoft’s Jonathan Bar Or, Alexia Wilson, and Christine Fossaceca) in patches launched in March for macOS Sequoia 15.4 with “improved information redaction.”
Whereas Apple restricts TCC entry solely to apps with full disk entry and routinely blocks unauthorized code execution, Microsoft security researchers discovered that attackers may use the privileged entry of Highlight plugins to entry delicate recordsdata and steal their contents.
They confirmed in a report revealed right this moment that the vulnerability (named Sploitlight and described by Apple as a “logging concern”) could possibly be exploited to reap helpful information, together with Apple Intelligence-related data and distant data of different iCloud account-linked units.
This consists of, however is just not restricted to, photograph and video metadata, exact geolocation information, face and particular person recognition information, consumer exercise and occasion context, photograph albums and shared libraries, search historical past and consumer preferences, in addition to deleted pictures and movies.
Since 2020, Apple has patched different TCC bypasses that exploit Time Machine mounts (CVE-2020-9771), setting variable poisoning (CVE-2020-9934), and a bundle conclusion concern (CVE-2021-30713). Up to now, Microsoft security researchers have additionally found a number of different TCC bypasses, together with powerdir (CVE-2021-30970) and HM-Surf, that may be abused to achieve entry to customers’ non-public information.
“Whereas much like prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we confer with as ‘Sploitlight’ for its use of Highlight plugins, are extra extreme as a consequence of its means to extract and leak delicate data cached by Apple Intelligence, equivalent to exact geolocation information, photograph and video metadata, face and particular person recognition information, search historical past and consumer preferences, and extra,” Microsoft mentioned on Monday.
“These dangers are additional sophisticated and heightened by the distant linking functionality between iCloud accounts, which means an attacker with entry to a consumer’s macOS gadget may additionally exploit the vulnerability to find out distant data of different units linked to the identical iCloud account.”
In recent times, Microsoft security researchers have discovered a number of different extreme macOS vulnerabilities, together with a SIP bypass dubbed ‘Shrootless’ (CVE-2021-30892), reported in 2021, which allows attackers to put in rootkits on compromised Macs.
Extra not too long ago, they found a SIP bypass dubbed ‘Migraine’ (CVE-2023-32369) and a security flaw named Achilles(CVE-2022-42821), which could be exploited to put in malware utilizing untrusted apps that bypass Gatekeeper execution restrictions.
Final 12 months, they reported one other SIP bypass flaw (CVE-2024-44243) that lets menace actors deploy malicious kernel drivers by loading third-party kernel extensions.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud security drives enterprise worth.
This free, editable board report deck helps security leaders current danger, influence, and priorities in clear enterprise phrases. Flip security updates into significant conversations and quicker decision-making within the boardroom.
