Apple patched a critical macOS vulnerability earlier this year that allowed attackers to bypass system protections and access sensitive user data across multiple devices, security researchers at Microsoft recently revealed.
Dubbed “Sploitlight” for its exploitation of Spotlight plugins, the flaw was uncovered by Microsoft’s Security Vulnerability Research team during a routine scan for privileged processes.
Microsoft’s recent blog post reads, in part: “After discovering the bypass technique during proactive hunting for processes with privileged entitlements, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).”
Although Apple released a fix for the flaw in a March 31 security update, any systems that have not yet installed the patch remain at risk.
What is Sploitlight?
Sploitlight is built into every version of iPadOS, visionOS, Mac OS X Tiger or later, and iPhone OS 3 or later. The feature enables system-wide search, helping users locate files, applications, and other data quickly across devices.
However, the Sploitlight vulnerability made it possible for hackers and other malicious actors to scan and access these files, too — even if they were protected by macOS’ Transparency, Consent, and Control (TCC) feature.
What is macOS TCC?
One of macOS’ many integrated security mechanisms, TCC is meant to restrict access to local apps, personal data, and critical system resources.
It works by asking the user for permission before granting access to certain files, devices, or resources. Some elements that are protected by TCC include the device’s camera and microphone, personal and business contacts, calendars, screen recording functionality, and certain files on local hard drives.
According to Microsoft, attackers were able to use specially crafted Sploitlight plugins to circumvent these TCC protections. By declaring specific file types, they could scan for matching data and extract it through macOS log utilities — without triggering standard security prompts.
What kind of data is being targeted?
The Sploitlight vulnerability could give hackers access to sensitive personal information contained on the device, including:
- Geolocation details such as GPS coordinates and timestamped location history.
- Metadata embedded in images and videos, including camera settings, device model, and file paths.
- Files previously deleted but still retrievable through metadata logs.
- AI-generated image tags and object labels from the Photos app.
- Facial recognition data and, in some cases, tagged contact profiles associated with image libraries.
- User behavior logs, such as screenshot activity and shared media content.
- Calendar-based event history, including birthdays, vacations, and other scheduled items.
- Search queries conducted within apps like Photos.
Hackers can even take advantage of remote linking functionality to access data from other devices that may be linked through a shared iCloud account.
Protecting your system from the Sploitlight bug
As usual, the best way to protect your system from hacks, bugs, and exploits is to download and install the latest security updates. Apple issued a patch addressing the Sploitlight flaw in March 2025, and users are strongly encouraged to apply all current macOS security updates to ensure protection against this vulnerability.
Apple’s tweaking its iPhone timeline. Here’s what that move could mean for users, competitors, and your next upgrade decision.