Skip to content Skip to footer

Researchers Detail Apple’s Recent Zero-Click Shortcuts Vulnerability

's Shortcuts has been found to contain a high-severity security vulnerability that could allow unauthorized access to sensitive data on a user's device. The flaw, identified as -2024-23204, was recently patched by in its latest software update on January 22, 2024, including iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

According to an advisory issued by , the vulnerability could be exploited by a malicious shortcut to gain access to sensitive data without the user's consent. The iPhone maker has fixed the problem with “additional permissions checks” to ensure that a shortcut cannot use sensitive data without prompting the user.

Shortcuts is a scripting application enabling users to create custom workflows or macros for performing tasks on their devices. The comes pre-installed on iOS, iPadOS, macOS, and watchOS operating systems.

The flaw was discovered by Bitdefender security researcher Jubaer Alnazi Jabin, who found that it could be weaponized to bypass Transparency, Consent, and Control (TCC) policies to protect user data from unauthorized access. The vulnerability is rooted in a shortcut action called “Expand URL,” which is used to expand and clean up URLs that have been shortened using a URL shortening service like t.co or bit.ly while removing UTM tracking parameters.

The researcher explained that by exploiting this functionality, a malicious actor can transmit Base64-encoded data of a photo to a malicious website. The attacker can select sensitive data such as photos, contacts, files, and clipboard data within Shortcuts, import it, convert it using the Base64 encode option, and forward it to the malicious server. The exfiltrated data is then captured and saved as an image on the attacker's end using a Flask application, paving the way for follow-on exploitation.

Importantly, Shortcuts can be exported and shared among users, making it a common practice in the Shortcuts community. This sharing mechanism extends the potential reach of the vulnerability, as users may unknowingly import shortcuts that -2024-23204.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What you see on these screens up here is a fantasy; a computer enhanced hallucination!Stephen Falken

Deitasoft © 2024. All Rights Reserved.