spotPlight - spotlight dataleak automation
Earlier versions of macOS leaked small amounts of spotlight index data to USB drives on locked systems and this automates the exfiltration process by emulating up to 128 USB mass storage devices
I noticed that certain versions of macOS would leak small amounts of spotlight indexed data to any USB drive that was inserted into the system, even when locked. The project named spotPlight was the result of automating the extraction of this data. I found that rapidly inserting and removing up to 128 emulated USB drives at a time into macOS system using a raspberry pi, that it was possible to exfiltrate data from a screenlocked macOS system even with filevault enabled.
External Links:
- Blog post: spotPlight - macOS data leak
- Code: spotPlight github repo