A dangerous vulnerability has emerged in Apple Shortcuts, which could allow attackers to access sensitive data on the device without the user being asked to grant permissions.
Apple’s Shortcuts application, designed for macOS and iOS, aims to automate tasks. For businesses, it allows users to create macros to perform specific tasks on their devices and then combine them into workflows for everything from web automation to smart factory functions. These can then be shared online via iCloud and other platforms with colleagues and partners.
According to a Bitdefender analysis Available today, the vulnerability (CVE-2024-23204) makes it possible to create a malicious shortcut file that can bypass Apple’s Transparency, Consent and Control (TCC) security framework, which is supposed to ensure that apps explicitly ask for permission by the user before accessing certain data or features.
This means that when someone adds a malicious link to your library, they can silently steal sensitive data and system information, without having to ask the user to grant access permission. In their Proof-of-Concept (PoC) exploit, Bitdefender researchers were then able to exfiltrate the data into an encrypted image file.
“Since shortcuts are a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent spread of malicious shortcuts across different sharing platforms,” the report notes.
The bug poses a threat to macOS and iOS devices running versions earlier than macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and is rated 7.5 out of a possible 10 (high) in the Common Vulnerability Scoring System (CVSS) because it can be exploited remotely without the required privileges.
Apple has fixed the bug, and “we’re urging users to make sure they’re using the latest version of the Apple Shortcuts software,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender.
Apple Security Vulnerabilities: Increasingly Common
In October, Accenture published a report revealing a tenfold increase in Dark Web threat actors targeting macOS since 2019, a trend set to continue.
The results coincide with the emergence of sophisticated macOS infostealers created to bypass Apple’s built-in detection. And Kaspersky researchers recently discovered macOS malware targeting Bitcoin and Exodus crypto wallets, with the malicious software replacing genuine apps with compromised versions.
Bugs also continue to come to light, making initial access easier. For example, earlier this year Apple fixed a zero-day vulnerability (CVE-2024-23222) in its Safari browser WebKit enginecaused by a type confusion error, where input validation assumptions can lead to exploitation.
To avoid negative outcomes for Apple overall, the report strongly advises users to update their macOS, iPadOS, and watchOS devices to the latest versions, be careful when running shortcuts from untrusted sources, and regularly check for security updates and updates. Apple patches.