Apple Intelligence Token Theft Vulnerability Exposes Privacy Risks in macOS 26.0
Researchers from The Ohio State University have uncovered critical vulnerabilities in Apple’s Apple Intelligence, a generative AI service integrated into macOS 26.0 (Tahoe), which could allow attackers to steal and reuse authentication tokens. The flaws undermine the system’s privacy-focused design, enabling unauthorized access to AI services and potential denial-of-service (DoS) attacks.
How the System Works (and Fails)
Apple Intelligence relies on Private Cloud Compute (PCC), a framework that processes complex AI requests in the cloud while prioritizing user anonymity. The system uses a two-tiered token system under the Privacy Pass protocol:
- A Token Granting Token (TGT), a long-lived credential issued after verifying the device as authentic Apple hardware.
- One-Time Tokens (OTTs), single-use credentials redeemed for individual AI requests.
To protect privacy, traffic routes through an Oblivious HTTP (OHTTP) relay, masking IP addresses and metadata from Apple. However, researchers found that PCC nodes do not enforce TGT validation by default, despite Apple’s documentation suggesting it was reserved for future abuse prevention.
Key Vulnerabilities
- Plaintext Token Storage – TGTs and OTTs are stored in the login keychain in unencrypted form, accessible to any application with standard user permissions.
- Bearer Token Design – Tokens are not tied to specific devices, meaning they can be reused by attackers if stolen. Users have no revocation mechanism, leaving compromised tokens valid for days.
- Weak Keychain Access Controls – Malware can extract tokens via the SecItemCopyMatching API or the
/usr/bin/securitytool, often with minimal user interaction (e.g., a single "Allow" prompt).
The Serpent Attack
Researchers developed "Serpent", a proof-of-concept exploit demonstrating how attackers could:
- Extract tokens from a victim’s Mac by tricking users into granting keychain access.
- Exfiltrate and reuse tokens on an attacker-controlled device, impersonating the victim.
- Bypass rate limits – A banned device could regain access by importing stolen tokens.
- Launch DoS attacks – By redeeming a victim’s OTTs without sending actual requests, attackers could exhaust their daily quota, triggering a "service unavailable" error.
Because the OHTTP relay hides IP addresses, Apple cannot trace malicious activity, making detection nearly impossible. The attack could even enable automated AI service resale on non-Apple platforms like Linux.
Apple’s Response & Partial Fixes
Apple assigned CVE-2025-43509 and issued a patch in macOS 26.2, moving tokens from the login keychain to the iCloud keychain, which requires stricter kernel-level permissions. However, researchers demonstrated that kernel extensions or memory debugging could still bypass these protections, and Apple is developing further mitigations.
The findings highlight a fundamental tension in Apple’s design: anonymity without hardware binding creates inherent security risks. While the current fix raises the bar for attackers, researchers argue that cryptographic hardware binding is necessary for a robust solution.
Source: https://www.helpnetsecurity.com/2026/04/22/apple-intelligence-token-vulnerability-serpent-attack/
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "APP1776839269",
"linkid": "apple",
"type": "Vulnerability",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'macOS 26.0 users with Apple '
'Intelligence enabled',
'industry': 'Consumer Electronics, Software, AI '
'Services',
'location': 'Cupertino, California, USA',
'name': 'Apple Inc.',
'size': 'Large Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Local Keychain Access, Token Theft, Exploitation of Weak '
'Access Controls',
'data_breach': {'data_encryption': 'Tokens stored in plaintext (pre-patch)',
'data_exfiltration': 'Possible via token theft and reuse on '
'attacker-controlled devices',
'personally_identifiable_information': 'None directly, but '
'metadata from AI '
'requests could be '
'inferred',
'sensitivity_of_data': 'High (enables unauthorized access to '
'AI services)',
'type_of_data_compromised': 'Authentication Tokens (TGTs, '
'OTTs)'},
'description': 'Researchers from The Ohio State University uncovered critical '
'vulnerabilities in Apple’s Apple Intelligence, a generative '
'AI service integrated into macOS 26.0 (Tahoe), which could '
'allow attackers to steal and reuse authentication tokens. The '
'flaws undermine the system’s privacy-focused design, enabling '
'unauthorized access to AI services and potential '
'denial-of-service (DoS) attacks.',
'impact': {'brand_reputation_impact': 'Moderate (privacy-focused design '
'undermined)',
'data_compromised': 'Authentication Tokens (TGTs, OTTs), User AI '
'Request Metadata',
'downtime': 'Potential service unavailability due to DoS attacks',
'identity_theft_risk': 'Low (tokens do not directly expose PII)',
'operational_impact': 'Unauthorized access to AI services, '
'potential service disruption for legitimate '
'users',
'systems_affected': 'macOS 26.0 (Tahoe), Apple Intelligence, '
'Private Cloud Compute (PCC)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (tokens could '
'be resold for '
'unauthorized AI service '
'access)',
'entry_point': 'Local keychain access via malware '
'or social engineering',
'high_value_targets': 'macOS users with Apple '
'Intelligence enabled'},
'investigation_status': 'Partially Resolved (patch issued, further '
'mitigations in development)',
'lessons_learned': 'Anonymity-focused designs without hardware binding create '
'security risks. Token storage must enforce strict access '
'controls, and revocation mechanisms are critical for '
'mitigating token theft.',
'motivation': 'Unauthorized Access, Data Exfiltration, Service Disruption, '
'Potential Financial Gain (AI Service Resale)',
'post_incident_analysis': {'corrective_actions': ['Moved tokens to iCloud '
'keychain with stricter '
'permissions',
'Developing further '
'mitigations (e.g., '
'hardware binding)'],
'root_causes': ['Plaintext storage of '
'authentication tokens in the '
'login keychain',
'Lack of default TGT validation on '
'PCC nodes',
'Weak keychain access controls',
'Bearer token design without '
'device binding']},
'recommendations': ['Implement cryptographic hardware binding for tokens',
'Enforce strict validation of TGTs on PCC nodes',
'Provide users with token revocation mechanisms',
'Enhance keychain access controls to prevent unauthorized '
'token extraction',
'Monitor for anomalous token redemption patterns'],
'references': [{'source': 'The Ohio State University Research'}],
'response': {'containment_measures': 'Patch issued in macOS 26.2 (moved '
'tokens to iCloud keychain with stricter '
'permissions)',
'remediation_measures': 'CVE-2025-43509 patch, ongoing '
'development of further mitigations '
'(e.g., cryptographic hardware binding)',
'third_party_assistance': 'Researchers from The Ohio State '
'University'},
'title': 'Apple Intelligence Token Theft Vulnerability Exposes Privacy Risks '
'in macOS 26.0',
'type': 'Data Breach, Privilege Escalation, Denial-of-Service (DoS)',
'vulnerability_exploited': 'CVE-2025-43509, Plaintext Token Storage, Lack of '
'Token Validation, Weak Keychain Access Controls'}