Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could allow a shortcut to access sensitive information on the device without users’ consent.
The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was patched by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.
“A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, saying the issue was addressed with “additional permission checks.”
Apple Shortcuts is a scripting application that allows users to create custom workflows (aka macros) to perform specific tasks on their devices. It is installed by default on iOS, iPadOS, macOS, and watchOS operating systems.
Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reported the links bug, said that it could be used as a weapon to create a malicious link so that Transparency, Consent and Control (TCC) policies could be bypassed.
TCC is an Apple security framework designed to protect user data from unauthorized access without requiring appropriate permissions in the first place.
Specifically, the flaw is rooted in a link action called “Expand URL,” which can expand and clean up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.
“By exploiting this functionality, it became possible to transmit Base64-encoded photo data to a malicious website,” explained Alnazi Jabin.
“The method involves selecting all sensitive data (photos, contacts, files, and clipboard data) within Shortcuts, importing them, converting them using the base64 encoding option, and finally forwarding them to the malicious server. “
The exfiltrated data is then captured and saved as an image on the attacker’s side using a Flask application, paving the way for subsequent exploitation.
“Shortcuts can be exported and shared between users, a common practice in the Shortcuts community,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that could exploit CVE-2024-23204.”