Researchers Detail Apple’s Recent Zero-Click Shortcuts Vulnerability

Feb 23, 2024NewsroomData Privacy / iOS Security

Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.

The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

“A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”

Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.

Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reporting the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.

TCC is an Apple security framework that’s designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.

Specifically, the flaw is rooted in a shortcut action called “Expand URL,” which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.

“By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Alnazi Jabin explained.

“The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”

The exfiltrated data is then captured and saved as an image on the attacker’s end using a Flask application, paving the way for follow-on exploitation.

“Shortcuts can be exported and shared among users, a common practice in the Shortcuts community,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”