Lucene search

K
thnThe Hacker NewsTHN:F200E97BC17EAEDDBD1D0396FD03F242
HistoryFeb 23, 2024 - 5:05 a.m.

Researchers Detail Apple's Recent Zero-Click Shortcuts Vulnerability

2024-02-2305:05:00
The Hacker News
thehackernews.com
18
apple shortcuts
security flaw
cve-2024-23204
ios 17.3
ipados 17.3
macos sonoma 14.3
watchos 10.3
data access
user consent

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.5%

Zero-Click Shortcuts Vulnerability

Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.

The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

β€œA shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with β€œadditional permissions checks.”

Cybersecurity

Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.

Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reported the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.

TCC is an Apple security framework that’s designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.

Specifically, the flaw is rooted in a shortcut action called β€œExpand URL,” which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.

β€œBy leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Alnazi Jabin explained.

Cybersecurity

β€œThe method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”

The exfiltrated data is then captured and saved as an image on the attacker’s end using a Flask application, paving the way for follow-on exploitation.

β€œShortcuts can be exported and shared among users, a common practice in the Shortcuts community,” the researcher said. β€œThis sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.5%

Related for THN:F200E97BC17EAEDDBD1D0396FD03F242