Details have emerged about a high-severity security flaw in Apple‘s Shortcuts app. This vulnerability, tracked as CVE-2024-23204, has the potential to grant shortcuts unauthorized access to sensitive data without user consent.
Apple Shortcuts is an automation application for macOS and iOS devices, empowering users to craft customized workflows for optimizing tasks and boosting efficiency. Featuring an intuitive interface, Shortcuts facilitates the automation of diverse actions, ranging from basic tasks like sending messages to intricate operations spanning multiple applications.
Given Shortcuts’ widespread adoption as a tool for streamlining task management, the vulnerability could lead to the propagation of malicious shortcuts across various sharing platforms.
CVE-2024-23204 Vulnerability: Technical Overview
The CVE-2024-23204 vulnerability stems from a loophole in Apple’s Shortcuts app, a versatile scripting tool allowing users to automate tasks on their devices. This flaw, with a CVSS score of 7.5, was identified by Bitdefender security researcher Jubaer Alnazi Jabin. It centers around a specific shortcut action called “Expand URL,” which, while intended to streamline URL processing, inadvertently exposes a pathway for unauthorized access to sensitive data.
Exploiting the Flaw
Exploiting the vulnerability involves leveraging the “Expand URL” action to encode sensitive data, such as photos, contacts, files, or clipboard contents, into Base64 format and transmitting it to a malicious server. This data exfiltration process bypasses Apple’s Transparency, Consent, and Control (TCC) policies, which are designed to safeguard user data from unauthorized access.
The implications of this vulnerability are far-reaching. Malicious actors could weaponize the exploit to craft nefarious shortcuts capable of harvesting sensitive information from unsuspecting users’ devices. The ability to covertly capture and exfiltrate data poses a significant privacy and security risk, potentially exposing users to identity theft, financial fraud, and other forms of exploitation.
Protecting Against Exploitation
The problem was resolved by implementing additional permissions checks. This issue has been rectified in macOS Sonoma 14.3, watchOS 10.3, iOS 17.3, and iPadOS 17.3. Certain actions within a shortcut may have previously enabled the use of sensitive data without requiring user permission.
In light of this security lapse, users are urged to promptly update their devices to the latest software versions.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: