Apple’s OS X Yosemite Spotlight Privacy Issues


So Apple pushed out it’s latest and great OS X version 10.10 called Yosemite, but it’s facing a bit of an uproar at the moment about some Spotlight privacy issues. For those who are not familiar, Spotlight is some kinda of super desktop search that searches everything on your computer (and now also the Internet) – which is not cool as every search means your physical location & search term is sent to Apple (and 3rd parties like Microsoft) every time you use Spotlight.

OS X Yosemite Spotlight Privacy Issues

The upside? Yosemite is pretty cool and also security wise it comes with patches for both POODLE and Shellshock.

Even so, Apple should know better than this and respect privacy by default as they surely understand how something like can blow up.

There’s growing disquiet over Apple’s desktop search app Spotlight, which sends queries for things back to the company’s servers to process.

Spotlight phones home in OS X Yosemite, version 10.10, and it is enabled by default: it can be switched off, but with Apple insisting that it now takes people’s privacy seriously, the software has raised some eyebrows. It appears Spotlight sends queries, along with your location, back to Apple over the internet so the company can suggest related things from the web using Microsoft’s Bing engine. Apple says it needs to see your queries so it can improve Spotlight’s algorithms for suggesting things.

So, for example, searching for “weather” on a Register Mac running OS X 10.10 reveals files, folders and installed applications (such as the Windows 8.1 weather app in Parallels) on the machine containing the keyword; that’s the local search part. This is what you’d expect to see.

But then Spotlight contacts Apple remotely to get recommended software from the Apple App Store, and a search by Bing for any relevant websites.


I can see why they turn it on by default though, the majority of users wont know what is happening and they will enjoy the richer search experience that Spotlight gives them now – ala Facebook style. Do something that pisses off a small subset of more technical users, and see how the public backlash is – if it’s not too bad you profit.

This has spread far and wide though, reaching some mainstream news sites – I’m not exactly sure if the average user will be enraged though as we seem to live in a post-privacy kind of society now where people accept companies collect their data.

Yosemite was released late last week after a string of betas were made available to developers, the first in June. The OS was finalized as Apple chief exec Tim cook started waving around his company’s alleged efforts to safeguard privacy; Cook hopes to use privacy as a differentiator in the iGiant’s ongoing battle against arch rival Google.

But the people behind Fix-macosx.com reckon Spotlight isn’t the only component of OS X Yosemite that unnecessarily phones home. “A myriad system and user processes are sending data to Apple in a default configuration, and we want to fix those, too,” they promise.

A collaborative project to identify additional data collected by Apple and other third parties has been set up by the Fix Mac OS X team. “This work is powered by Net-Monitor, our open-source toolkit for auditing phone home behaviour system-wide,” the developers add.

Apple’s collection of search queries in its cloud is not limited to OS X Yosemite: the Spotlight Suggestions and Bing Web Results are also included in iOS 8. “It has to do with sending data to Apple,” Sean Sullivan, a security advisor at F-Secure, told The Register. “It’s a being-spied-on-by-the-cloud issue.”

How to restore your privacy

Disable these options:

Disable Spotlight Options

  • Disable “Spotlight Suggestions” and “Bing Web Searches” in System Preferences > Spotlight > Search Results.
  • Safari also has a “Spotlight Suggestions” setting that is separate from Spotlight’s “Spotlight Suggestions”. This uses the same mechanism as Spotlight, and if left enabled, Safari will send a copy of all search queries to Apple.
  • You’d be forgiven for thinking that you’d already disabled “Spotlight Suggestions”, but you’ll also need to uncheck “Include Spotlight Suggestions” in Safari > Preferences > Search.

There’s also a Python script to do it here – fix-macosx.py

Source: The Register

Posted in: Apple, Privacy


Latest Posts:


Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.
zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors


2 Responses to Apple’s OS X Yosemite Spotlight Privacy Issues

  1. bab October 21, 2014 at 8:16 am #

    Well, it’s not like Apple is hiding it — there is a very complete description in the “About Spotlight Suggestions & Privacy” button within the Spotlight prefpane.

    • Darknet October 21, 2014 at 6:15 pm #

      I wouldn’t exactly say putting it in the about pane or t&c is being open about it, being open is prompting you on update if you want to have it enabled and explaining the implications in plain English. Or just not having it on by default.