Experts have warned that the popular iOS productivity app was so flawed that cybercriminals were able to steal sensitive data from the vulnerable device.
The app in question is called Apple Shortcuts and acts as a handy little time-saving widget that allows apps to communicate with each other about specific tasks and thus generate useful actions, such as using it to determine the user’s location, calculate how much time it will take would be to come home and text that information to a contact.
Now, The hacker news reports that Shortcuts contained a very serious flaw that could allow unidentified individuals to access sensitive information stored on the device without the user’s consent. The flaw is tracked as CVE-2024-23204 and has a severity score of 7.5.
Bypass email security
“A shortcut could potentially use sensitive data for certain actions without prompting the user,” Apple said in the advisory published with the patch for the flaw. The vulnerability was addressed with ‘additional consent checks’.
While Apple’s explanation may be purely theoretical, it is one of them Bitdefender security researcher Jubaer Alnazi Jabin is a lot more practical. Jabin, who initially reported the bug to Apple, said the flaw could be exploited to create a malicious shortcut that can bypass the Transparency, Consent, and Control (TCC) policy (Apple’s data protection framework) .
Explaining how the bug works, Jabin said that Shortcuts have an action called “Expand URL,” which expands shortened URLs and strips them of UTM tags.
“Using this functionality made it possible to send a photo’s Base64-encoded data to a malicious website,” Jabin said. “The method involves selecting sensitive data (photos, contacts, files and clipboard data) within Shortcuts, importing it, converting it using the base64 encoding option and finally forwarding it to the malicious server.”
The data can then be saved as an image via Flask. “Shortcuts can be exported and shared between users, a common practice in the shortcut community,” the researcher said. “This sharing mechanism increases the potential reach of the vulnerability as users unknowingly import shortcuts that could exploit CVE-2024-23204.”