macOS Spotlight Data Leak (Vulnerability Fixed)
For a period of time, it was possible to read snippets of memory on a screen-locked mac OS system from the USB port.
A while back we noticed some interesting files created by macOS when inserting a USB drive. These files were related to Spotlight, macOS’s built-in search functionality which indexes and enables searching of files on the system, among other things. The presence of the files is fairly standard, as an invisible /Volumes/<Volume Name>/.Spotlight-V100/ directory are added to every USB drive inserted into a macOS system when Spotlight indexes the files on that drive. However, while analyzing some of the file contents, it appeared that content from several emails (subject lines, email addresses, snippets of message contents) was stored among this data, specifically in the .store.db file which serves as Spotlight’s metadata store. This was alarming as this email data had never been purposely stored on that USB drive. The implications were obviously pretty big. Sensitive data from a macOS system could be inadvertently leaked to a removable USB drive by the OS and potentially exposed without a user’s knowledge.