Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Researchers Detail Apple’s Recent Zero-Click Shortcuts Vulnerability

    justmattgBy justmattgFebruary 23, 2024No Comments2 Mins Read

    [ad_1]

    Feb 23, 2024NewsroomData Privacy / iOS Security

    Zero-Click Shortcuts Vulnerability

    Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.

    The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

    “A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”

    Cybersecurity

    Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.

    Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reporting the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.

    TCC is an Apple security framework that’s designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.

    Specifically, the flaw is rooted in a shortcut action called “Expand URL,” which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.

    “By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Alnazi Jabin explained.

    Cybersecurity

    “The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”

    The exfiltrated data is then captured and saved as an image on the attacker’s end using a Flask application, paving the way for follow-on exploitation.

    “Shortcuts can be exported and shared among users, a common practice in the Shortcuts community,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleFTC Slams Avast with $16.5 Million Fine for Selling Users’ Browsing Data
    Next Article Microsoft Releases PyRIT – A Red Teaming Tool for Generative AI
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑