CVE-2024-23204 Apple's Shortcuts Vulnerability
Security researchers have revealed details regarding a significant security flaw in Apple's Shortcuts application, posing a high-severity risk. This flaw could enable a shortcut to access sensitive information on the device without obtaining user consent. The vulnerability, identified as CVE-2024-23204, has a CVSS score of 7.5 out of 10. Apple addressed this particular vulnerability on January 22, 2024, through the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3. and watchOS 10.3.
Under CVE-2024-23204, a shortcut could utilize sensitive data for specific actions without requiring user authorization. Apple has confirmed that the issue was resolved by implementing 'additional permissions checks' in the mentioned software updates.
Table of Contents
Details about the Apple Shortcuts Application
The Apple Shortcuts serve diverse purposes that allow users to streamline tasks effortlessly across macOS and iOS devices. This tool facilitates the automation of numerous actions, spanning quick app tasks, device control, media management, messaging, and location-based activities. Users can craft workflows tailored for file management, health and fitness tracking, Web automation, educational purposes and even seamless integration with smart home devices.
The infosec researchers who reported the Shortcuts bug have confirmed that it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies. TCC is an Apple security framework that's designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.
CVE-2024-23204 Allows the Exfiltration of Data
The security vulnerability identified as CVE-2024-23204 originates from a specific shortcut action called 'Expand URL.' This action is designed to expand and clean up URLs shortened through services like t.co or bit.ly, eliminating UTM tracking parameters. Exploiting this feature allows the transmission of Base64-encoded data from a photo to a malicious website.
The technique involves selecting sensitive data (such as Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and then forwarding it to the compromised server. The pilfered data is subsequently captured and stored as an image on the attacker's end through a Flask application, setting the stage for potential follow-on exploitation.
Since Shortcuts can be exported and shared among users, a common practice in the Shortcuts community, this sharing mechanism expands the vulnerability's potential reach. Users may unknowingly import shortcuts that exploit CVE-2024-23204, heightening the risk of exploitation.
Measures to Mitigate the Impact of Vulnerabilities Like CVE-2024-23204
To enhance protection against the identified vulnerabilities, users are strongly recommended to take the following measures:
Update Operating Systems: Ensure that macOS, iPadOS, and watchOS devices are running the latest software versions. Regularly updating the operating system is crucial as it often includes patches and security enhancements that address potential vulnerabilities.
Exercise Caution with Shortcuts: Be cautious when executing shortcuts, especially those obtained from untrusted sources. Users should scrutinize the origin and content of shortcuts before running them to minimize the risk of inadvertently exposing their devices to security threats.
Regularly Check for Updates: Stay vigilant by regularly checking for security updates and patches provided by Apple. Maintaining the device up-to-date with the latest security releases is fundamental in maintaining a robust defense against potential exploits and vulnerabilities.
By adhering to these recommended practices, users are likely to significantly bolster the security posture of their devices and lessen the likelihood of falling victim to the identified vulnerability.