Experts have warned popular iOS productivity app was flawed in a way that allowed threat actors to steal sensitive data from the vulnerable device.
The app in question is called Apple Shortcuts, and it acts as a nifty little time-saving widget that allows apps to interact with one another on specific tasks and thus generate useful actions, such as using it to determine the user’s location, calculate how much time it would take to get home, and send that information via SMS, to a contact.
Now, The Hacker News is reporting that Shortcuts carried a high severity flaw that allowed unidentified individuals to access sensitive information, stored on the device, without user consent. The flaw is tracked as CVE-2024-23204, and holds a severity score of 7.5.
Bypassing email security
“A shortcut may be able to use sensitive data with certain actions without prompting the user,” Apple said in the advisory published with its patch for the flaw. The vulnerability was fixed with “additional permissions checks.”
While Apple’s explanation might be purely theoretical, one from Bitdefender security researcher Jubaer Alnazi Jabin is a lot more practical. Jabin, who was the one to report the bug to Apple in the first place, said the flaw could be abused to create a malicious shortcut capable of working around Transparency, Consent, and Control (TCC) policies – Apple’s data protection framework.
Explaining how the flaw works, Jabin said Shortcuts have an action called “Expand URL”, which expands shortened URLs and clears them of UTM tags.
“By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Jabin said. “The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”
The data can then be saved as an image via Flask. “Shortcuts can be exported and shared among users, a common practice in the Shortcuts community,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”