Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

  /     /     /  
Publicated : 23/11/2024   Category : security


Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft


Vulnerability CVE-2024-23204, affecting Apples popular Shortcuts app, suggests a critical need for ongoing security awareness in the macOS and iOS ecosystem.



A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.
Apples Shortcuts application, designed for macOS and iOS, is aimed at automating tasks. For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions. These can then be shared online through iCloud and other platforms with co-workers and partners.
According to an
analysis from Bitdefender
out today, the vulnerability (CVE-2024-23204) makes it possible to craft a malicious Shortcuts file that would be able to bypass Apples Transparency, Consent, and Control (TCC) security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.
That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission. In their proof-of-concept (PoC) exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.
With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms, the report noted.
The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 (high) on the Common Vulnerability Scoring System (CVSS) because it can be remotely exploited with no required privileges.
Apple has patched the bug, and we are urging users to make sure they are running the latest version of the Apple Shortcuts software, says Bogdan Botezatu, director of threat research and reporting at Bitdefender.
In October,
Accenture published
a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 — with the trend poised to continue.
The findings coincide with the emergence of
sophisticated macOS infostealers
created to bypass Apples built-in detection. And Kaspersky researchers
recently discovered
macOS malware targeting Bitcoin and Exodus cryptowallets, with the malicious software substituting genuine apps with compromised versions.
Bugs also continue to come to light, making initial access easier. For instance, earlier this year Apple fixed a zero-day vulnerability (CVE-2024-23222) in its
Safari browsers WebKit engine
, caused by a type confusion error, where input validation assumptions can lead to exploitation.
To avoid bad Apple outcomes in general, the report strongly advises users to update macOS, iPadOS, and watchOS devices to the latest versions, exercise caution when executing shortcuts from untrusted sources, and regularly check for security updates and patches from Apple.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft