Apple has advised users to patch their devices against a vulnerability affecting the Apple Shortcuts application that can allow hackers to access sensitive data without invoking user permission.
Tracked as CVE-2024-23204, the flaw has a critical rating (CVSS 7.5/10) because of its zero-click exploitation, affecting a range of Apple devices including MacBooks, iPhones, iPads, and Apple watches, as they all support the Shortcuts application.
âA shortcut may be able to use sensitive data with certain actions without prompting the user,â Apple said in a security advisory, attributing the find to Jubaer Alnazi Jabin (@h33tjubaer), a cybersecurity research consultant at Bitdefender.
Appleâs Shortcuts is an automation application for Apple users looking to create personalized workflows to streamline their daily tasks.
Attackers can remotely exfiltrate data
The Shortcuts app enables automating tasks with custom workflows and syncs these workflows, called shortcuts, across other Apple devices. Additionally, Apple also allows sharing these shortcuts among users in the Apple community and features a gallery where users can discover pre-built shortcuts.
CVE-2023-23204 allows for the application to be used to create a shortcut that can bypass the transparency, consent, and control (TCC) security framework that Apple has in place for blocking unauthorized access to sensitive data on its devices.
A process of the Shortcuts app, com.apple.WorkflowKit.BackgroundShortcutRunner, which executes shortcuts in the background on Apple devices can still, despite being sandboxed by TCC, access some sensitive data. This allows for crafting a malicious shortcut, which can then be circulated through Shortcutâs sharing mechanism.
âThis sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2023-23204,â Jabin said in a blog post. âWith Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.â
The malicious shortcut makes use of an action function provisioned in the Shortcuts app, âExpand URL,â which allows for the expansion and cleaning up of any URL that has been previously shortened using shorteners such as t.co and bit.ly.
This function can be exploited to select any sensitive data within the device (Photos, Contacts, Files, and Clipboard Data), import it, and use base64 encoding to convert it for sending it to an attacker-controlled server, according to JABIN.
Apple releases yet another patch
The bug, which affects macOS before Sonoma 14.3, iOS before 17.3, and iPadOS before 17.3, has been consequently patched with additional permission checks.
In addition to applying the patches on all Apple devices, Jabin has advised Apple customers to exercise caution when executing shortcuts from untrusted sources.
Apple operating systems have been hit with a slew of security flaws in the last few months. In Dec 2023, Appleâs iPads and Mac devices were threatened by a couple of zero-days (CVE-2023-42916, and CVE-2023-42917) allowing arbitrary code execution. Similarly in June 2023, the company patched a couple of remote code execution (RCE) zero-days that were allegedly exploited under a digital spy campaign, Operation Triangulation.
Another proof-of-concept (POC), called iLeakage, demonstrated in Oct 2023 how a novel info-stealing side channel attack could exploit a bug in Appleâs Safari WebKit.