Experts warned that the popular iOS productivity app had flaws that allowed threat actors to steal sensitive data from the vulnerable device.
The app in question is called Apple Shortcuts and acts as a nifty time-saving widget that allows apps to interact with each other on specific tasks and thus generate useful actions, such as using it to determine the user's location, calculating how long it would take to arrive home, and send that information via SMS to a contact.
Now, Hacker News reports that Shortcuts had a high severity flaw that allowed unidentified individuals to access sensitive information, stored on the device, without the user's consent. The flaw is tracked as CVE-2024-23204 and has a severity score of 7.5.
Bypass email security
“A shortcut can use sensitive data with certain actions without notifying the user,” Apple said in the advisory published with its patch for the flaw. The vulnerability was addressed with “additional permissions checks.”
While Apple's explanation may be purely theoretical, that of Bitdefender security researcher Jubaer Alnazi Jabin is much more practical. Jabin, who reported the bug to Apple in the first place, said the flaw could be abused to create a malicious shortcut capable of bypassing Transparency, Consent and Control (TCC) policies, Apple's data protection framework. .
Explaining how the flaw works, Jabin said that shortcuts have an action called “Expand URLs,” which expands shortened URLs and removes them from UTM tags.
“By leveraging this functionality, it was possible to transmit the Base64-encoded data of a photo to a malicious website,” Jabin said. “The method involves selecting sensitive data (photos, contacts, files and clipboard data) within the shortcuts, importing it, converting it using the base64 encoding option and finally forwarding it to the malicious server.”
The data can then be saved as an image via Flask. “Shortcuts can be exported and shared among users, a common practice in the shortcut community,” the researcher said. “This sharing mechanism expands the potential scope of the vulnerability, as users unknowingly import shortcuts that could exploit CVE-2024-23204.”