Critical Apple Shortcut Vulnerability Disclosed

Cybersecurity firm Bitdefender has issued a statement saying it has discovered a vulnerability in Apple shortcuts that allows a potential attacker to access sensitive data with certain actions without alerting the user.

The vulnerability is rated 7.5 out of 10 and affects Mac OS and iOS devices running versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively. The cybersecurity firm notes that the said vulnerability was responsibly disclosed and is now fixed, and software updates have been made available to affected users.

How this vulnerability works

Jubaer Alnazi Jabin, a security researcher at Bitdefender, who discovered and reported the flaw in Shortcuts, argued that it could be used to create a malicious shortcut that bypasses Transparency, Consent and Control (TCC) policies.

TCC is an Apple security framework designed to safeguard user data against unauthorized access without requesting proper permissions in the first instance.
In particular, the flaw lies in a shortcut action called "Expand URL," which is capable of evolving and debugging URLs that have been shortened using a URL shortening service such as t.co or bit.ly, while removing UTM tracking parameters.

"By leveraging this functionality, it became possible to transmit Base64-encoded data from a photo to a malicious website," explained Alnazi Jabin.

"The method involves selecting any sensitive data (photos, contacts, files and clipboard data) within Shortcuts, importing it, converting it using the base64 encoding option and finally sending it to the malicious server."

The extracted data is then captured and saved as an image on the attacker's endpoint using a Flask application, paving the way for further exploitation.

The Impact of Critical Vulnerability CVE-2024-23204

Shortcuts are distributed through various channels and Apple has its gallery where users can discover automation workflows to streamline tasks. In addition, shortcuts can be exported and shared among users, a common practice in the shortcut community. This sharing mechanism expands the potential scope of the vulnerability, as users unknowingly import shortcuts that could exploit CVE-2024-23204. Since shortcuts are a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent spread of malicious shortcuts across various sharing platforms.

For CVE-2024-23204 it was possible to create a shortcut file that could bypass TCC. TCC, or Transparency, Consent and Control, is a security framework in Apple's macOS and iOS that governs access to sensitive user data and system resources by applications. TCC ensures that apps explicitly request permission from the user before accessing certain data or functionality, enhancing user privacy and security.

How to avoid this type of vulnerabilities?

It is important to always update the OS of our devices, since these updates correct vulnerabilities and errors, it is also very important that the shortcuts that we add to our devices are from reliable sources, as in the case of Routinehub, where there is a whole group of community developers dedicated to moderate the shortcuts that are uploaded daily to Routinehub and the vast majority of active members are reliable and outstanding developers of the community of shortcuts in general.