According to research performed by Bitdefender, prior to the iOS 17.3 update, a malicious Shortcut could capture sensitive data like photos and send it to an attacker.
Shortcuts are built into iOS, iPadOS, and macOS to provide users with hooks for building automations. These Shortcuts can be shared between users via a link, which can lead to widespread sharing of a malicious Shortcut.
According to research performed by Bitdefender viewed by AppleInsider, an unsuspecting Shortcuts user could obtain a Shortcut that attacks a vulnerability in the Transparency, Consent, and Control (TCC) system meant to protect users from data theft. Typically, TCC prompts appear when an app or Shortcut attempts to access sensitive information or system resources, but the vulnerability bypassed this check.
A malicious Shortcut utilizing the “Expand URL” function could bypass TCC and transmit base64-encoded data of photos, contacts, files, or clipboard data to a website. A Flask program on the attacker’s end would capture and store the transmitted data for potential exploitation.
Users who inspected any new Shortcuts downloaded to their device could have avoided this issue. The steps to perform the actions are visible within the Shortcut but may not jump out to someone who doesn’t know what to look for — especially since some Shortcuts can end up with hundreds of actions.
Apple assigned CVE-2024-23204 to the issue.
How to protect yourself from the Shortcuts vulnerability
?
The easiest fix to avoid any problems with the vulnerability is to update. The latest operating systems patched out the issue with additional permission checks.
Update to iOS 17.3, iPadOS 17.3, or macOS Sonoma 14.3 to patch the Shortcuts vulnerability. Bitdefender classified the issue as a 7.5 out of 10 CVSS score, making it a very high severity vulnerability.