Apple Shortcuts Zero-Click Vulnerability Enables Covert Data Theft

February 22, 2024

A significant vulnerability has been discovered in Apple's Shortcuts app, which could potentially allow cyber attackers to gain access to confidential data on a device without the user's permission. The Shortcuts application, available for both macOS and iOS, is a tool for automating tasks. It allows users to create macros for specific tasks and then combine them into workflows for a range of applications, from web automation to smart factory functions. These workflows can then be shared online via iCloud and other platforms.

Bitdefender's analysis revealed that this vulnerability, designated as CVE-2024-23204, enables the creation of a malicious Shortcuts file capable of bypassing Apple's Transparency, Consent, and Control (TCC) security framework. This framework is designed to ensure that apps explicitly ask users for permission before accessing certain data or functionalities. This means that if a user adds a malicious shortcut to their library, it can covertly steal sensitive data and system information without requiring user permission. In their proof-of-concept exploit, Bitdefender researchers were able to extract the data in an encrypted image file.

The vulnerability is particularly concerning due to the widespread use of Shortcuts for efficient task management. The potential for malicious shortcuts to be unintentionally distributed via various sharing platforms is a serious threat. The bug poses a risk to macOS and iOS devices running versions prior to macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3. It has been rated as 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS) due to its potential for remote exploitation without needing any privileges.

Apple has since patched the bug. Bogdan Botezatu, director of threat research and reporting at Bitdefender, urges users to ensure they are running the latest version of the Apple Shortcuts software. In a report published by Accenture in October, it was revealed that there has been a tenfold increase in threat actors targeting macOS since 2019, a trend that is likely to continue. This coincides with the emergence of sophisticated macOS infostealers designed to evade Apple's built-in detection.

Kaspersky researchers have also recently found macOS malware targeting Bitcoin and Exodus cryptowallets, replacing legitimate apps with compromised versions. Furthermore, earlier this year, Apple addressed a zero-day vulnerability in its Safari browser's WebKit engine, CVE-2024-23222, caused by a type confusion error. To avoid negative outcomes, the report strongly recommends users to update their macOS, iPadOS, and watchOS devices to the latest versions, be wary when running shortcuts from untrusted sources, and regularly check for security updates and patches from Apple.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.