Apple Intelligence, Apple's cutting-edge GenAI service, has been found to have a critical security flaw that could potentially expose users to significant privacy risks. This vulnerability, discovered by researchers from The Ohio State University, highlights a complex interplay between Apple's authentication protocols and the underlying infrastructure of its Private Cloud Compute (PCC) system.
The Flaw in Apple Intelligence's Security
At the heart of Apple Intelligence's security architecture is a two-stage authentication and authorization system using anonymous access tokens. These tokens, specifically the Token Granting Token (TGT) and One-Time Tokens (OTTs), are designed to be long-lived and single-use, respectively. However, the researchers uncovered a critical issue: TGTs and OTTs are stored in the login keychain in plaintext on macOS 26.0 (Tahoe). This means that any application with standard user permissions can access and potentially misuse these tokens.
The implications of this flaw are severe. Because the system lacks a mechanism to verify the original device that received a token, these credentials function as 'bearer tokens.' This means that once stolen, they can be reused indefinitely until they expire, several days later. The researchers developed an attack called Serpent to exploit this vulnerability, demonstrating its effectiveness through two distinct phases: extraction and disguise.
Serpent Attack: A Detailed Exploitation
During the extraction phase, malware on the victim's Mac queries the keychain using the SecItemCopyMatching API or the /usr/bin/security tool, triggering a system prompt for user confirmation. The authors assume that users will grant this permission, as such prompts are common and may appear routine. Once the tokens are exfiltrated to an attacker-controlled server, the disguise phase begins. The attacker overwrites their local keychain with the victim's tokens, allowing their device to operate as the victim for subsequent service requests.
The impact of this attack is profound. Practical tests confirmed that the Serpent attack bypasses device-level security controls. Researchers demonstrated a DoS attack where an attacker consumes a victim's entire daily allowance, causing their device to display a warning stating that 'Apple Intelligence is currently not available.' This attack can be automated and potentially enable the resale of Apple Intelligence as a generic AI service.
Mitigation and Future Challenges
Apple has acknowledged the vulnerability and assigned CVE-2025-43509, awarding a bounty for the disclosure. The macOS 26.2 update moved tokens from the login keychain to the iCloud keychain, requiring specific permissions for access. While this change increases the difficulty of token theft, it is not a complete fix. Researchers have shown that entitlement checks can still be bypassed through kernel extensions or memory debugging, and Apple is working on additional patches.
The researchers argue that anonymizing identity alone does not guarantee a secure service and advocate for cryptographic hardware binding as the fundamental solution. This flaw highlights the ongoing challenges in securing complex authentication systems and the need for continuous innovation in security protocols to protect user data and privacy.
