A recently disclosed vulnerability in Apple's Shortcuts application could allow attackers to access users' sensitive data without consent (zero-click), according to an analysis by cybersecurity firm BitDefender.
The vulnerability tracked as CVE-2024-23204(CVSS score: 7.5), affects Mac, iPhone, iPad and Apple Watch devices running older versions of their respective operating systems.
Shortcuts is an automation app that allows users to create customized workflows to expedite tasks on Apple devices. The flexibility of Shortcuts has made it widely popular among users looking to streamline routine activities. However, researchers at BitDefender found that the app's functionality could be exploited to bypass Apple's privacy protections.
Specifically, the vulnerability enables a malicious Shortcuts file to access and transmit a user's sensitive data, including photos, contacts, clipboard contents and other files, without prompting the user for permission. This is achieved by leveraging Shortcuts' "Expand URL" feature to encode the data and send it to an external server controlled by the attacker.
According to BitDefender's technical analysis, the Shortcuts background process com.apple.WorkflowKit.BackgroundShortcutRunner is intended to trigger shortcuts without requiring user interaction.
Typically, Apple's Transparency, Consent and Control (TCC) framework would prompt the user for consent when an app attempts to access sensitive information. However, it appears BackgroundShortcutRunner was able to bypass TCC and access data within the app sandbox.
By combining Expand URL, base64 encoding and a Flask server endpoint, attackers could exploit this to obtain users' sensitive information without their knowledge or consent. BitDefender confirmed the attack by constructing a proof-of-concept Shortcuts file that exfiltrated test data, assigning a severity score of 7.5 out of 10 based on the CVSS standard.
The vulnerability affects Macs running macOS versions before Sonoma 14.3, iPhones and iPads on iOS versions before 17.3, and Apple Watch models not updated to watchOS 9.3 or later.
Apple has released security updates patching the vulnerability (CVE-2024-23204) across all impacted platforms. Users are strongly advised to install the latest software versions on their devices to protect against potential attacks leveraging this vulnerability.
While updating devices, users should also refrain from running Shortcuts from unknown or untrusted sources. Attackers could disguise malicious Shortcuts as useful workflows and spread them across Apple's Shortcuts gallery, social media or other channels. Importing and running such compromised Shortcuts could lead to data theft.
The Shortcuts app provides great flexibility and automation power but also expands the attack surface. Malicious exploitation of CVE-2024-23204 could have enabled large-scale harvesting of sensitive user data. While now fixed, the vulnerability highlights the need for continuous security awareness and rapid patching of discovered issues.