Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.
The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.
Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.
Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reported the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.
TCC is an Apple security framework that’s designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.
Specifically, the flaw is rooted in a shortcut action called “Expand URL,” which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.
“The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”
The exfiltrated data is then captured and saved as an image on the attacker’s end using a Flask application, paving the way for follow-on exploitation.
Source: https://thehackernews.com/