Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

Vulnerability CVE-2024-23204, affecting Apples popular Shortcuts app, suggests a critical need for ongoing security awareness in the macOS and iOS ecosystem.

A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.
Apples Shortcuts application, designed for macOS and iOS, is aimed at automating tasks. For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions. These can then be shared online through iCloud and other platforms with co-workers and partners.
According to an
analysis from Bitdefender
out today, the vulnerability (CVE-2024-23204) makes it possible to craft a malicious Shortcuts file that would be able to bypass Apples Transparency, Consent, and Control (TCC) security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.
That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission. In their proof-of-concept (PoC) exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.
With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms, the report noted.
The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 (high) on the Common Vulnerability Scoring System (CVSS) because it can be remotely exploited with no required privileges.
Apple has patched the bug, and we are urging users to make sure they are running the latest version of the Apple Shortcuts software, says Bogdan Botezatu, director of threat research and reporting at Bitdefender.
In October,
Accenture published
a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 — with the trend poised to continue.
The findings coincide with the emergence of
sophisticated macOS infostealers
created to bypass Apples built-in detection. And Kaspersky researchers
recently discovered
macOS malware targeting Bitcoin and Exodus cryptowallets, with the malicious software substituting genuine apps with compromised versions.
Bugs also continue to come to light, making initial access easier. For instance, earlier this year Apple fixed a zero-day vulnerability (CVE-2024-23222) in its
Safari browsers WebKit engine
, caused by a type confusion error, where input validation assumptions can lead to exploitation.
To avoid bad Apple outcomes in general, the report strongly advises users to update macOS, iPadOS, and watchOS devices to the latest versions, exercise caution when executing shortcuts from untrusted sources, and regularly check for security updates and patches from Apple.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft