Information has surfaced regarding a recently patched high-severity security vulnerability in Apple’s Shortcuts app, allowing a shortcut to access sensitive device information without user consent.
Apple’s Latest Zero-Click Shortcuts
Apple resolved the vulnerability, identified as CVE-2024-23204 (CVSS score: 7.5), on January 22, 2024, through the deployment of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3 updates.”In an advisory, the iPhone maker stated that a shortcut could potentially access sensitive data through specific actions without user prompting. This issue has been resolved through the implementation of ‘additional permissions checks.'”
Apple Shortcuts is a scripting application that enables users to craft customized workflows, also known as macros, to perform designated tasks on their devices. This application is pre-installed across iOS, iPadOS, macOS, and watchOS operating systems.
Jubaer Alnazi Jabin, a researcher from Bitdefender security, who uncovered and reported the Shortcuts bug, highlighted its potential for malicious exploitation. According to Jabin, the bug could be utilized to create a harmful shortcut capable of circumventing Transparency, Consent, and Control (TCC) policies.
TCC is an Apple security framework crafted to safeguard user data by preventing unauthorized access unless proper permissions are granted beforehand.
The flaw primarily resides within a shortcut action termed “Expand URL.” This action is capable of expanding and refining URLs shortened via URL shortening services such as t.co or bit.ly, while also eliminating UTM tracking parameters.
“Exploiting this feature allowed for the transmission of Base64-encoded data from a photo to a malicious website,” elaborated Alnazi Jabin.
The process entails selecting sensitive data such as Photos, Contacts, Files, and clipboard data within Shortcuts, importing it, converting it using the base64 encode option, and finally sending it to the malicious server.
Subsequently, the extracted data is saved as an image on the attacker’s end utilizing a Flask application, thereby facilitating subsequent exploitation.
“The sharing of Shortcuts among users is a widespread practice within the Shortcuts community,” noted the researcher. “However, this sharing mechanism significantly broadens the vulnerability’s potential reach, as users may inadvertently import shortcuts that exploit CVE-2024-23204.”
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment