Apple’s Shortcuts application has a bug that can allow attackers to remotely access sensitive data on Apple devices without user permission. Credit: Wes Hicks / Unsplash Apple has advised users to patch their devices against a vulnerability affecting the Apple Shortcuts application that can allow hackers to access sensitive data without invoking user permission. Tracked as CVE-2024-23204, the flaw has a critical rating (CVSS 7.5/10) because of its zero-click exploitation, affecting a range of Apple devices including MacBooks, iPhones, iPads, and Apple watches, as they all support the Shortcuts application. “A shortcut may be able to use sensitive data with certain actions without prompting the user,” Apple said in a security advisory, attributing the find to Jubaer Alnazi Jabin (@h33tjubaer), a cybersecurity research consultant at Bitdefender. Apple’s Shortcuts is an automation application for Apple users looking to create personalized workflows to streamline their daily tasks. Attackers can remotely exfiltrate data The Shortcuts app enables automating tasks with custom workflows and syncs these workflows, called shortcuts, across other Apple devices. Additionally, Apple also allows sharing these shortcuts among users in the Apple community and features a gallery where users can discover pre-built shortcuts. CVE-2023-23204 allows for the application to be used to create a shortcut that can bypass the transparency, consent, and control (TCC) security framework that Apple has in place for blocking unauthorized access to sensitive data on its devices. A process of the Shortcuts app, com.apple.WorkflowKit.BackgroundShortcutRunner, which executes shortcuts in the background on Apple devices can still, despite being sandboxed by TCC, access some sensitive data. This allows for crafting a malicious shortcut, which can then be circulated through Shortcut’s sharing mechanism. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2023-23204,” Jabin said in a blog post. “With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.” The malicious shortcut makes use of an action function provisioned in the Shortcuts app, “Expand URL,” which allows for the expansion and cleaning up of any URL that has been previously shortened using shorteners such as t.co and bit.ly. This function can be exploited to select any sensitive data within the device (Photos, Contacts, Files, and Clipboard Data), import it, and use base64 encoding to convert it for sending it to an attacker-controlled server, according to JABIN. Apple releases yet another patch The bug, which affects macOS before Sonoma 14.3, iOS before 17.3, and iPadOS before 17.3, has been consequently patched with additional permission checks. In addition to applying the patches on all Apple devices, Jabin has advised Apple customers to exercise caution when executing shortcuts from untrusted sources. Apple operating systems have been hit with a slew of security flaws in the last few months. In Dec 2023, Apple’s iPads and Mac devices were threatened by a couple of zero-days (CVE-2023-42916, and CVE-2023-42917) allowing arbitrary code execution. Similarly in June 2023, the company patched a couple of remote code execution (RCE) zero-days that were allegedly exploited under a digital spy campaign, Operation Triangulation. Another proof-of-concept (POC), called iLeakage, demonstrated in Oct 2023 how a novel info-stealing side channel attack could exploit a bug in Apple’s Safari WebKit. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe