Apple Shortcuts Zero-Click Vulnerability Enables Covert Data Theft

February 22, 2024

A significant vulnerability has been discovered in Apple's Shortcuts app, which could potentially allow cyber attackers to gain access to confidential data on a device without the user's permission. The Shortcuts application, available for both macOS and iOS, is a tool for automating tasks. It allows users to create macros for specific tasks and then combine them into workflows for a range of applications, from web automation to smart factory functions. These workflows can then be shared online via iCloud and other platforms.

Bitdefender's analysis revealed that this vulnerability, designated as CVE-2024-23204, enables the creation of a malicious Shortcuts file capable of bypassing Apple's Transparency, Consent, and Control (TCC) security framework. This framework is designed to ensure that apps explicitly ask users for permission before accessing certain data or functionalities. This means that if a user adds a malicious shortcut to their library, it can covertly steal sensitive data and system information without requiring user permission. In their proof-of-concept exploit, Bitdefender researchers were able to extract the data in an encrypted image file.

The vulnerability is particularly concerning due to the widespread use of Shortcuts for efficient task management. The potential for malicious shortcuts to be unintentionally distributed via various sharing platforms is a serious threat. The bug poses a risk to macOS and iOS devices running versions prior to macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3. It has been rated as 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS) due to its potential for remote exploitation without needing any privileges.

Apple has since patched the bug. Bogdan Botezatu, director of threat research and reporting at Bitdefender, urges users to ensure they are running the latest version of the Apple Shortcuts software. In a report published by Accenture in October, it was revealed that there has been a tenfold increase in threat actors targeting macOS since 2019, a trend that is likely to continue. This coincides with the emergence of sophisticated macOS infostealers designed to evade Apple's built-in detection.

Kaspersky researchers have also recently found macOS malware targeting Bitcoin and Exodus cryptowallets, replacing legitimate apps with compromised versions. Furthermore, earlier this year, Apple addressed a zero-day vulnerability in its Safari browser's WebKit engine, CVE-2024-23222, caused by a type confusion error. To avoid negative outcomes, the report strongly recommends users to update their macOS, iPadOS, and watchOS devices to the latest versions, be wary when running shortcuts from untrusted sources, and regularly check for security updates and patches from Apple.

Related News

• Apple Addresses Vision Pro Security Flaw, CISA Highlights iOS Vulnerability Exploitation
• CISA Issues Warning over Actively Exploited iPhone Kernel Bug
• Apple Addresses First Zero-Day Exploit of the Year Impacting Multiple Devices

Latest News

• CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability
• LockBit Ransomware Attacks Exploit ScreenConnect Servers Vulnerability
• Joomla Addresses XSS Vulnerabilities Potentially Leading to RCE Attacks
• VMware Calls for Removal of Outdated, Vulnerable Authentication Plugin
• Global Law Enforcement Disrupts LockBit Ransomware Gang