Researchers have figured out a way to bypass a key security framework that macOS and iOS use to secure what data and systems an app can control. The vulnerability lies within the Shortcuts app, and whether you are an avid user of this app or not, this report contains information vital to your online security.
On February 22, Bitdefender reported on vulnerability CVE-2024-23204, which affects Apple’s Shortcuts app. BitDefender discovered the vulnerability and says it can give attackers access to sensitive data without the breached victim even knowing it.
The vulnerability affects macOS and iOS devices running versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively. This vulnerability is rated 7.5 out of 10.
Bitdefender reported the vulnerability to Apple, and in response, the company developed new software updates that all users must apply.
How the vulnerability can be exploited by criminals
The Shortcuts app allows users to automate a wide range of actions on their devices. The automation extends to various tasks and saves users time while increasing productivity.
Recently, Apple made Shortcuts available for its newest product, the Apple Vision. Shortcuts also runs on the Apple Watch.
In January 2024, Apple introduced new Shortcut features. With these features, Apple users can expand the type of actions they want to automate.
With these new features, Shortcuts, now more than ever, communicates with critical security systems on your Apple devices, manages your data, and works with other apps to automate tasks. In other words, this gives the app heavy security responsibilities.
Some sensitive Shortcuts features include:
- Transcribing Audio to text
- Opening the Camera in specific capture modes
- Opening Collection and navigating to a specific section of the Photos app, such as Places
- Showing Passwords and navigating to Passwords in Settings on iOS and System Settings on macOS.
- Using Scan Document to capture an image and save it to the Files app on iOS
- The functions Set Hotspot Password and Get Hotspot Password
- Access to settings such as Toggle Cellular Plan, Set Default Line, Set Data Roaming, Find Cellular Plan, and Reset Cellular Data Statistics, which are now supported on iOS
- Starting or stopping data backups through the Start Time Machine Backup function with Time Machine on macOS
The Shortcuts Gallery and sharing dangerous content
One of the most popular features of Shortcuts is the Gallery, where users can browse through curated Shortcuts designed to automate workflows.
Another popular practice among the Shortcuts community is to export and share different automation workflow templates with one another. And this is where the vulnerability gains a foothold.
As Bitdefender explains, “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”
By using this vulnerability, cybercriminals could create malicious automation workflows using Shortcuts and then share them among the community. Once a victim downloads it, their device is breached, and their data is stolen.
Bitdefender expressed their concern about this possibility, given how many Shortcut users there are in the world.
“With Shortcuts being a widely used feature for efficient task management,” said Bitdefender, “the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.”
Apple’s TTC framework breached
Remember the Apple security framework mentioned at the start of this report? The one that manages your personal data and how apps interact with it and with your system? Well, that is the famous (or, at least, famous within the cybersecurity community) Apple Transparency, Consent, and Control, also known as TCC. This framework is vital for all of Apple’s operating systems and governs user data and system resources used by applications.
Bitdefender explains that they managed to craft a Shortcuts file that exploits this vulnerability and could bypass the TCC. Bitdefender assures that their exploitation accessed some sensitive data, even though the profile was within the sandbox.
How your data could be exfiltrated
The exploitation of this vulnerability, fully coded and tested by Bitdefender, proves not only that the TCC can be bypassed by accessing sensitive information but that the data can then be exfiltrated from the victim’s device.
Using the Expand URL function, Bitdefender bypassed the TCC and was able to transmit the base64-encoded data of a photo to a malicious website. In this case, the exploitation method involved selecting sensitive data from users’ Photos, Contacts, Files, and Clipboard Data that exist within Shortcuts, then importing the data and using a base64 encode option to forward the stolen data to a malicious server, site, or host.
However, while Apple has released new software security upgrades that fix this issue, the same vulnerability could have been used for other purposes, such as being coded to act as spyware, launch a persistent attack, or deploy other malware, such as ransomware.
How Apple users can stay safe
Apple users have the upper hand with this new vulnerability. However, it is very important for them to update their macOS, iPadOS, and watchOS devices to the latest versions.
Shortcut users are urged to stay vigilant of suspicious actions and think twice before executing a Shortcut created and shared by an untrusted source. Setting your OS to automatic updates and keeping up with cybersecurity news and Apple’s security patches is also advisable.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac, iPhone, macOS, and iOS are trademarks of Apple Inc.