Apple’s OS X Yosemite Spotlight Privacy Issues

The New Acunetix V12 Engine


So Apple pushed out it’s latest and great OS X version 10.10 called Yosemite, but it’s facing a bit of an uproar at the moment about some Spotlight privacy issues. For those who are not familiar, Spotlight is some kinda of super desktop search that searches everything on your computer (and now also the Internet) – which is not cool as every search means your physical location & search term is sent to Apple (and 3rd parties like Microsoft) every time you use Spotlight.

OS X Yosemite Spotlight Privacy Issues

The upside? Yosemite is pretty cool and also security wise it comes with patches for both POODLE and Shellshock.

Even so, Apple should know better than this and respect privacy by default as they surely understand how something like can blow up.

There’s growing disquiet over Apple’s desktop search app Spotlight, which sends queries for things back to the company’s servers to process.

Spotlight phones home in OS X Yosemite, version 10.10, and it is enabled by default: it can be switched off, but with Apple insisting that it now takes people’s privacy seriously, the software has raised some eyebrows. It appears Spotlight sends queries, along with your location, back to Apple over the internet so the company can suggest related things from the web using Microsoft’s Bing engine. Apple says it needs to see your queries so it can improve Spotlight’s algorithms for suggesting things.

So, for example, searching for “weather” on a Register Mac running OS X 10.10 reveals files, folders and installed applications (such as the Windows 8.1 weather app in Parallels) on the machine containing the keyword; that’s the local search part. This is what you’d expect to see.

But then Spotlight contacts Apple remotely to get recommended software from the Apple App Store, and a search by Bing for any relevant websites.


I can see why they turn it on by default though, the majority of users wont know what is happening and they will enjoy the richer search experience that Spotlight gives them now – ala Facebook style. Do something that pisses off a small subset of more technical users, and see how the public backlash is – if it’s not too bad you profit.

This has spread far and wide though, reaching some mainstream news sites – I’m not exactly sure if the average user will be enraged though as we seem to live in a post-privacy kind of society now where people accept companies collect their data.

Yosemite was released late last week after a string of betas were made available to developers, the first in June. The OS was finalized as Apple chief exec Tim cook started waving around his company’s alleged efforts to safeguard privacy; Cook hopes to use privacy as a differentiator in the iGiant’s ongoing battle against arch rival Google.

But the people behind Fix-macosx.com reckon Spotlight isn’t the only component of OS X Yosemite that unnecessarily phones home. “A myriad system and user processes are sending data to Apple in a default configuration, and we want to fix those, too,” they promise.

A collaborative project to identify additional data collected by Apple and other third parties has been set up by the Fix Mac OS X team. “This work is powered by Net-Monitor, our open-source toolkit for auditing phone home behaviour system-wide,” the developers add.

Apple’s collection of search queries in its cloud is not limited to OS X Yosemite: the Spotlight Suggestions and Bing Web Results are also included in iOS 8. “It has to do with sending data to Apple,” Sean Sullivan, a security advisor at F-Secure, told The Register. “It’s a being-spied-on-by-the-cloud issue.”

How to restore your privacy

Disable these options:

Disable Spotlight Options

  • Disable “Spotlight Suggestions” and “Bing Web Searches” in System Preferences > Spotlight > Search Results.
  • Safari also has a “Spotlight Suggestions” setting that is separate from Spotlight’s “Spotlight Suggestions”. This uses the same mechanism as Spotlight, and if left enabled, Safari will send a copy of all search queries to Apple.
  • You’d be forgiven for thinking that you’d already disabled “Spotlight Suggestions”, but you’ll also need to uncheck “Include Spotlight Suggestions” in Safari > Preferences > Search.

There’s also a Python script to do it here – fix-macosx.py

Source: The Register

Posted in: Apple, Privacy


Latest Posts:


NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.


2 Responses to Apple’s OS X Yosemite Spotlight Privacy Issues

  1. bab October 21, 2014 at 8:16 am #

    Well, it’s not like Apple is hiding it — there is a very complete description in the “About Spotlight Suggestions & Privacy” button within the Spotlight prefpane.

    • Darknet October 21, 2014 at 6:15 pm #

      I wouldn’t exactly say putting it in the about pane or t&c is being open about it, being open is prompting you on update if you want to have it enabled and explaining the implications in plain English. Or just not having it on by default.