This work investigates the privacy claims of Apple Intelligence, which purports to safeguard user data through anonymous access tokens. Despite these assurances, we identify critical security flaws in its token mechanism. By integrating network traffic analysis, reverse engineering, and cross-platform document comparison, we present and implement Serpent—a practical cross-device token replay attack against Apple Intelligence. Our method enables an adversary to extract and replay tokens on macOS 15 (noting that the original reference to “26 Tahoe” appears to be a typographical error), thereby circumventing service quota restrictions and instantly restoring unauthorized access. This study demonstrates that anonymization alone is insufficient to secure AI-driven services. The vulnerability has been acknowledged by Apple, assigned a CVE identifier, and rewarded through their bug bounty program.

Apple Intelligence is a generative AI (GenAI) service provided by Apple on its devices. While offering a similar set of features as other similar GenAI services, Apple Intelligence is claimed to be designed with an extra focus on user security and privacy through a two-stage authentication and authorization design using anonymous access tokens. In this paper, we present our investigation into this token issuance mechanism with a goal to reveal possible vulnerabilities using traffic analysis, reverse engineering, and cross comparison with Apple's public documentation. Specifically, we present the Serpent attack, the first practical cross-device token replay attack against Apple Intelligence that allows the attacker to steal the access tokens from the victim's device and utilise them on a different device, with all usage rate-limited against the victim. We have achieved successful attacks on the latest macOS 26 Tahoe and demonstrated that an attacker, who even has used up its own allowance, can immediately regain access to Apple Intelligence service. We have responsibly disclosed the vulnerabilities to the vendors and received confirmation from Apple with CVE assigned and bounty given. Our results highlight a general lesson for built-in AI services: Anonymising identity does not by itself make the AI service secure; Enforcing non-transferability requires cryptographic binding to the rightful user.