A high-severity security flaw in Apple’s Shortcuts app has been fixed, and it could allow a shortcut to access sensitive data on the device without the users ‘ permission.
Apple addressed the vulnerability on January 22, 2024, with the release of iOS 17, iPadOS 17, macOS Sonoma 14, and watchOS 10.3. The vulnerability was identified as CVE-2024- 23204 ( CVSS score: 7.5 ).
According to an advisory from the iPhone manufacturer,” a shortcut may be able to use sensitive data with specific actions without prompting the user.”” Additional permissions checks” were used to fix the shortcut.
Users of the scripting program Apple Shortcuts can design customized workflows ( also known as macros ) for carrying out particular tasks on their devices. Operating systems like iOS, iPadOS, Mac OS, and WatchOS all come with it pre-installed.
The Shortcuts bug was found and reported by Bitdefender security researcher Jubaer Alnazi Jabin, who claimed that it could be used to develop a malicious shortcut that would get around Transparency, Consent, and Control (TCC ) regulations.
TCC is an Apple security framework that aims to prevent unauthorized access to user data without first requesting the necessary permissions.
A shortcut action called” Expand URL,” which can expand and clean up URLs that have been shortened using a URL shortening service like t. co or bit, is where the problem is specifically located. ly, while omitting the tracking parameters for UTM.
Alnazi Jabin explained that” by utilizing this functionality, it was possible to send a malicious website the Base64-encoded data of an image.”
The procedure involves importing any sensitive data ( photographs, contacts, files, clipboard data ), converting it using the base64 encode option, and then sending it to a malicious server.
A Flask application is then used to capture the exfiltrated data and save it as an image on the attacker’s end, enabling subsequent exploitation.
According to the researcher, shortcuts can be exported and shared with users, which is a common practice. Users unknowingly import shortcuts that could be used to exploit CVE-2024-23204, which “expands the potential reach of the vulnerability.”