Microsoft’s Threat Intelligence team has uncovered a serious vulnerability in macOS Spotlight, now dubbed “Sploitlight.” The exploit allowed attackers to bypass Apple’s Transparency, Consent, and Control (TCC) framework and access sensitive user data without consent.
The issue stemmed from Spotlight plugins—bundles designed to index app-specific files—being manipulated to leak protected data. By crafting or altering a plugin, researchers could trigger macOS’s indexing service to read files in restricted locations like Downloads or Photos, then quietly log chunks of data without user permission. The breach extended beyond simple files: metadata cached by Apple Intelligence—such as geolocation info, face recognition data, user preferences, and search history—became accessible to attackers.
Crucially, Microsoft notes this was not a public exploit: the issue was responsibly disclosed, and Apple patched it in a macOS update released March 31, 2025 (Sequoia 15.4) by tightening data redaction and strengthening symlink validation and state handling.
Still, the implications are notable: because macOS Spotlight plugins execute with elevated scope, even third-party bundles could be transformed into an entry point for data theft. Beyond local machine access, the exploit could also expose data from other devices linked via the same iCloud account.
For users, the takeaway is straightforward: ensure your Mac is running the latest security updates. Apple handled this internally, but anyone on older versions remains vulnerable to potential variants of the exploit.
In a broader context, Sploitlight highlights the complexity of modern operating systems where utility features like Spotlight plugins can create unexpected privacy risks. As AI-powered tools increasingly cache sensitive metadata, protecting that layer becomes just as critical as guarding the files themselves.
Ultimately, the lesson is clear: keep your systems patched, and stay alert to how deep system tools may be manipulated—even by malicious actors—with benign access to search infrastructure.
source: Microsoft Security Blog (link)