Apple Shortcuts security vulnerability (CVE-2024-23204) allows attackers to access targeted devices and steal sensitive data – update your devices now!
Cybersecurity firm Bitdefender has discovered a 7.5/10 severity rating vulnerability in Apple Shortcuts, allowing attackers to access sensitive data without prompting users. According to Bitdefender’s blog post published on 22 February 2024, this vulnerability tracked as CVE-2024-23204, allows attackers to create a Shortcuts file bypassing Apple’s security framework for macOS and iOS.
Apple Shortcuts is a popular macOS and iOS automation app that simplifies tasks by allowing users to create personalized workflows using visual programming to automate tasks like app control, media management, messaging, location-based actions, and more. Users can create workflows for file management, health tracking, web automation, education, and smart home integration, thereby improving productivity and user experience.
The vulnerability was found in the shortcut sharing/expanding mechanism in Apple’s Shortcuts community. The community allows users to discover and expedite automation workflows and export/share shortcuts.
CVE-2024-23204 on the other hand, lets users unknowingly import shortcuts that could exploit the Transparency, Consent, and Control (TCC) security framework in macOS and iOS. This framework helps ensure user privacy and security by requiring explicit permission before accessing sensitive data or functionalities.
During the attack, as noted by researchers in their blog post, the ‘Expand URL’ function in Shortcuts lets attackers transmit base64-encoded photo data to a malicious website. This involves selecting sensitive data, importing it, converting it using the base64 encode option, and forwarding it to the server. A Flask program captures the transmitted data, allowing the attacker to store it for exploitation. The issue is fixed in macOS Sonoma 14.3, watchOS 10.3, iOS 17.3, and iPadOS 17.3.
Still, it highlights the need for continuous security vigilance in Apple’s Shortcuts application, given its potential for privacy breaches. Users are advised to use the latest software. Users are advised to update macOS, iPadOS, and watchOS devices, remain cautious when executing shortcuts from untrusted sources, and regularly check for Apple security updates and patches.
Watch the vulnerability in action!
The rising number of flaws identified in Apple apps and devices recently has effectively busted the myth of Apple products being the most reliable in safeguarding user data. Last year Apple patched a record number of vulnerabilities.
In July 2023, Apple issued a critical security alert for iPhone, iPad, and Mac users, urging them to update their devices soon due to a software vulnerability in its Safari WebKit browser engine.
In October 2023, researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum discovered an iLeakage vulnerability in Apple devices, affecting Macs and iPhones since 2020. The attack exploited a side-channel vulnerability in CPUs, allowing Safari to divulge sensitive data, including passwords and Gmail content.
In December 2023, a Bluetooth vulnerability, CVE-2023-45866, let attackers control Android, Linux, macOS, and iOS devices without user confirmation to install malicious apps, run commands, and perform unauthorized actions.
The same month, Apple released security updates to address two zero-day vulnerabilities, CVE-2023-42916 and CVE-2023-42917, which allowed hackers to execute code and access sensitive data on compromised devices through malicious web pages.