An exploit involving Spotlight plugins could let attackers steal private metadata

Microsoft has discovered a Spotlight-related exploit in macOS that could enable attackers to steal private metadata from Apple apps and third-party apps.

Don’t worry, Apple has already patched this vulnerability on the iPhone, iPad and Mac with iOS 18.4, iPadOS 18.4 and macOS Sequoia 15.4, released on March 31, 2025. Microsoft has now shared details explaining how the vulnerability works in a post on its Security blog.

This was a so-called zero-day vulnerability; that is, an exploit unknown to Apple at the time. But because Microsoft discovered it and warned Apple about it on time, and Apple fixed it swiftly before disclosing it on its support page, the vulnerability was never exploited in the wild.

Microsoft details a Spotlight-related exploit that Apple patched on time

Microsoft Threat Intelligence discovered a vulnerability in macOS that attackers may exploit to steal metadata from apps that Apple Intelligence caches. Normally protected by Apple’s Transparency, Consent, and Control (TCC) mechanism, stolen app data can be used to reveal, among other things:

• Your precise locations
• What you searched using Spotlight
• AI-powered summaries from the Mail app
• Photo and video metadata (including geolocation)
• Facial recognition data for the recognized faces in the built-in Photos app
• Your settings
• Files in the Downloads folder

None of this data is normally accessible without consent, thanks to TCC. The Spotlight search and indexing feature supports third-party plug-ins to make metadata from third-party apps searchable with Spotlight, like Procreate files.

You can manage Spotlight extensions yourself in System Settings > General > Login Items & Extensions > Spotlight by clicking the small Info button on the right to open a list of the installed Spotlight extensions.

It looks like Microsoft researchers found a hole in TCC that can bypass sandboxing restrictions that macOS imposes on Spotlight plugins to leak private app data. This can be accomplished by making specific changes to the app bundles.

“These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account,” Microsoft writes.

As mentioned, Apple has delivered a fix for the exploit in iOS 18.4, iPadOS 18.4 and macOS Sequoia 15.4. iPhone, iPad and Mac owners were not compromised because the fix was delivered before the vulnerability was detailed.

Source link: https://www.idownloadblog.com/2025/07/28/an-exploit-involving-spotlight-plugins-could-let-attackers-steal-private-metadata/