Particulars have emerged a couple of now-patched high-severity safety flaw in Apple’s Shortcuts app that might allow a shortcut to entry delicate info on the system with out customers’ consent.
The vulnerability, tracked as CVE-2024-23204 (CVSS rating: 7.5), was addressed by Apple on January 22, 2024, with the discharge of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.
“A shortcut might be able to use delicate knowledge with sure actions with out prompting the person,” the iPhone maker stated in an advisory, stating it was mounted with “further permissions checks.”
Apple Shortcuts is a scripting software that permits customers to create personalised workflows (aka macros) for executing particular duties on their units. It comes put in by default on iOS, iPadOS, macOS, and watchOS working techniques.
Bitdefender safety researcher Jubaer Alnazi Jabin, who found and reporting the Shortcuts bug, stated it might be weaponized to create a malicious shortcut such that it may bypass Transparency, Consent, and Management (TCC) insurance policies.
TCC is an Apple safety framework that is designed to guard person knowledge from unauthorized entry with out requesting acceptable permissions within the first place.
Particularly, the flaw is rooted in a shortcut motion referred to as “Broaden URL,” which is able to increasing and cleansing up URLs which were shortened utilizing a URL shortening service like t.co or bit.ly, whereas additionally eradicating UTM monitoring parameters.
“By leveraging this performance, it turned potential to transmit the Base64-encoded knowledge of a photograph to a malicious web site,” Alnazi Jabin defined.
“The tactic entails deciding on any delicate knowledge (Pictures, Contacts, Information, and clipboard knowledge) inside Shortcuts, importing it, changing it utilizing the base64 encode choice, and finally forwarding it to the malicious server.”
The exfiltrated knowledge is then captured and saved as a picture on the attacker’s finish utilizing a Flask software, paving the way in which for follow-on exploitation.
“Shortcuts will be exported and shared amongst customers, a standard observe within the Shortcuts neighborhood,” the researcher stated. “This sharing mechanism extends the potential attain of the vulnerability, as customers unknowingly import shortcuts which may exploit CVE-2024-23204.”
