Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

CoreParsecLocation is a sample application demonstrating how a third-party app can access a user’s precise location without a user’s consent or permission. parsecd/CoreParsec also provides information such as localized search suggestions, knowledge cards, and a temporary user ID. Thankfully, I do not believe the user ID is persisted or recycled at this time.

During a routine Frameworks expedition, I noticed an active NSXPCConnection to parsecd. After a few days of tinkering, I discovered that parsecd would respond to search queries from any application as long as I spoofed the correct header information. In this case, I used the SPPARSession class, which sets up a session for Spotlight.

At first, I assumed that the PARResponse object would only return a GeoIP location (which isn’t that useful on its own). However, after trying numerous search queries, I discovered that searching for “restaurants” would cause parsecd to grab the user’s precise location. It then returned the location information to me via the PARReponse object.

parsec also returns additional information, such as localized news results & search suggestions. I do not believe these contain any user-identifiable information at this time. After submission, I plan to further explore the additional responses. CVE-2022-46718 - CoreParsecLocation