A vulnerability in Apple Shortcuts [1] [2] [3] [4] [10], identified as CVE-2024-23204 [3] [8] [10], was discovered by Bitdefender [1] [2] [5], allowing attackers to bypass the Transparency [9], Consent [3] [5] [7] [8] [9], and Control (TCC) security framework on macOS and iOS devices [8] [9].
Description
This flaw enabled malicious shortcuts to collect sensitive data without user consent by sending base64-encoded photo data to malicious servers through the ‘Expand URL’ feature. Rated 7.5 out of 10 in severity [1], this vulnerability has been addressed by Apple with additional permissions checks in macOS Sonoma 14.3, watchOS 10.3 [9], iOS 17.3 [2] [4] [5] [6] [7] [9], and iPadOS 17.3 updates [4] [9]. In response to rising Dark Web threats targeting macOS [1], Accenture has reported malware targeting cryptowallets and zero-day vulnerabilities in Safari [1]. Apple has taken proactive steps to combat these threats, emphasizing the importance of regular device updates and caution when using shortcuts from untrusted sources. Additionally, Apple has recently fixed multiple vulnerabilities in its products, including critical security alerts for Safari WebKit [9], an iLeakage vulnerability affecting Macs and iPhones [9], and Bluetooth vulnerabilities affecting various devices [9]. Security updates have been released to address zero-day vulnerabilities that could allow hackers to execute code and access sensitive data on compromised devices [9]. The exploit (CVE-2024-23204) bypasses Apple’s security framework [4], enabling malicious shortcuts to silently steal data [4]. Bitdefender researchers were able to exfiltrate data in a proof of concept exploit [4], raising concerns about inadvertent sharing of malicious shortcuts [4]. The bug affects macOS and iOS devices running versions prior to macOS Sonoma 14.3 [4], iOS 17.3 [2] [4] [5] [6] [7] [9], and iPadOS 17.3 [4] [9], with a high CVSS score of 7.5 [4]. Apple has released a fix and urges users to update to the latest version of Apple Shortcuts [4].
Conclusion
The discovery of this vulnerability highlights the importance of regular software updates and caution when using shortcuts from untrusted sources. Apple’s proactive approach to addressing security threats is commendable, but users must remain vigilant to protect their devices from potential exploits. The implications of this vulnerability serve as a reminder of the ongoing battle against cyber threats and the need for continuous improvement in security measures.
References
[1] https://www.darkreading.com/application-security/zero-click-apple-shortcuts-vulnerability-allows-silent-data-theft
[2] https://www.youmobile.org/blogs/entry/Apple-s-Shortcuts-could-be-a-shortcut-to-a-privacy-nightmare
[3] https://central.bitdefender.com/blog/labs/details-on-apples-shortcuts-vulnerability-a-deep-dive-into-cve-2024-23204/
[4] https://droidtuto.com/la-vulnerabilite-des-raccourcis-apple-zero-click-permet-un-vol-de-donnees-silencieux/
[5] https://appleinsider.com/articles/24/02/22/a-critical-shortcuts-vulnerability-was-fixed-in-ios-173
[6] https://phandroid.com/2024/02/22/apples-shortcuts-could-be-a-shortcut-to-a-privacy-nightmare/
[7] https://forums.appleinsider.com/discussion/235535/a-critical-shortcuts-vulnerability-was-fixed-in-ios-17-3
[8] https://zerosecurity.org/2024/02/bitdefender-discovers-critical-vulnerability-cve-2024-23204-in-apple-shortcut/
[9] https://www.hackread.com/apple-shortcuts-vulnerability-exposed-data-update/
[10] https://www.govinfosecurity.com/breach-roundup-more-fallout-from-lockbit-takedown-a-24427
