Apple's Recent Zero-Click Shortcuts Vulnerability

23.02.2024

 

New information has surfaced regarding a recently patched high-severity security vulnerability in Apple’s Shortcuts app, which had the potential to allow a shortcut to access sensitive information on a device without user consent.

Identified as CVE-2024-23204 with a CVSS score of 7.5, Apple addressed the flaw on January 22, 2024, through the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

According to Apple, the issue allowed a shortcut to utilize sensitive data through specific actions without prompting the user, and the fix involved implementing “additional permissions checks.”

The Shortcuts app is a scripting application that enables users to create custom workflows for executing specific tasks on their iOS, iPadOS, macOS, and watchOS devices by default.

Jubaer Alnazi Jabin, a security researcher from Bitdefender, discovered and reported the bug. He noted that the vulnerability could potentially be exploited to create a malicious shortcut capable of bypassing Transparency, Consent, and Control (TCC) policies.

TCC is a security framework by Apple designed to safeguard user data from unauthorized access without appropriate permissions.

The root cause of the flaw lies in a shortcut action named “Expand URL,” which can expand and clean up shortened URLs from services like t.co or bit.ly, removing UTM tracking parameters in the process.

Explaining the exploit method, Alnazi Jabin stated, “By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website.”

The process involves selecting sensitive data within Shortcuts, importing it, converting it with the base64 encode option, and ultimately sending it to the malicious server. The exfiltrated data is then captured and saved as an image on the attacker’s server through a Flask application, potentially leading to further exploitation.

Other news

Dutch intelligence finds Chinese hackers spying on secret Defence Ministry network

Chinese state-sponsored hackers successfully infiltrated an internal computer network utilized by the Dutch Ministry of Defence last year, according to an announcement made by the Netherlands on Tuesday.

Read More

NSA Admits Secretly Buying Your Internet Browsing Data without Warrants

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.

Read More
en_USEnglish