Apple's Recent Zero-Click Shortcuts Vulnerability

23.02.2024

New information has surfaced regarding a recently patched high-severity security vulnerability in Apple’s Shortcuts app, which had the potential to allow a shortcut to access sensitive information on a device without user consent.

Identified as CVE-2024-23204 with a CVSS score of 7.5, Apple addressed the flaw on January 22, 2024, through the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

According to Apple, the issue allowed a shortcut to utilize sensitive data through specific actions without prompting the user, and the fix involved implementing “additional permissions checks.”

The Shortcuts app is a scripting application that enables users to create custom workflows for executing specific tasks on their iOS, iPadOS, macOS, and watchOS devices by default.

Jubaer Alnazi Jabin, a security researcher from Bitdefender, discovered and reported the bug. He noted that the vulnerability could potentially be exploited to create a malicious shortcut capable of bypassing Transparency, Consent, and Control (TCC) policies.

TCC is a security framework by Apple designed to safeguard user data from unauthorized access without appropriate permissions.

The root cause of the flaw lies in a shortcut action named “Expand URL,” which can expand and clean up shortened URLs from services like t.co or bit.ly, removing UTM tracking parameters in the process.

Explaining the exploit method, Alnazi Jabin stated, “By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website.”

The process involves selecting sensitive data within Shortcuts, importing it, converting it with the base64 encode option, and ultimately sending it to the malicious server. The exfiltrated data is then captured and saved as an image on the attacker’s server through a Flask application, potentially leading to further exploitation.