Freely subscribe to our NEWSLETTER

At a glance:

We have discovered a vulnerability in Apple Shortcuts that lets a potential attacker access sensitive data with certain actions without prompting the user;
The vulnerability is rated 7.5 out of 10 and affects Mac OS and iOS devices running v ersions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively.
The vulnerability was responsibly disclosed and is now fixed. Software updates have been made avalaible for impacted users.

What is Apple Shortcuts?

Apple Shortcuts is a powerful automation app designed for macOS and iOS devices, enabling users to create personalized workflows to streamline tasks and enhance productivity. With an intuitive interface, Shortcuts allows users to automate a wide range of actions, from simple tasks like sending messages to complex operations involving multiple applications. Leveraging a visual programming approach, users can combine various pre-built and custom actions to create intricate sequences tailored to their needs.
What can these Shortcuts do?

Apple Shortcuts serves a multitude of purposes, enabling users to streamline tasks on macOS and iOS devices. It allows for the automation of various actions, from quick app tasks and device control to media management, messaging, and location-based actions. Users can create workflows for file management, health and fitness tracking, web automation, education, and even smart home integration. Shortcuts offer a flexible and customizable way to enhance productivity, making routine tasks quicker and more efficient. Whether it’s automating daily chores or facilitating specific device functionalities, Shortcuts cater to a diverse range of user preferences, providing a seamless and personalized experience on Apple devices.

The flexibility and customization offered by Shortcuts make it a versatile tool that caters to a wide range of user preferences and needs, enhancing the overall efficiency and user experience on Apple devices.

Now that we have a comprehensive understanding of Shortcuts, let’s delve into the impact of CVE-2024-23204. Shortcuts are distributed through various channels, and Apple has its gallery where users can discover automation workflows to expedite tasks. Furthermore, Shortcuts can be exported and shared among users, a common practice in the Shortcuts community. This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204. With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.

For CVE-2024-23204 it was possible to craft a Shortcuts file that would be able to bypass the TCC. TCC, or Transparency, Consent, and Control, is a security framework in Apple’s macOS and iOS that governs access to sensitive user data and system resources by applications. TCC ensures that apps explicitly request permission from the user before accessing certain data or functionalities, enhancing user privacy and security.

Typically, the com.apple.WorkflowKit.BackgroundShortcutRunner is associated with executing Shortcuts in the background on Apple devices. TCC (Transparency, Consent, and Control) prompts are designed to appear when an app or a process attempts to access sensitive user data or system resources. During the analysis of the vulnerability, it was assumed that com.apple.WorkflowKit.BackgroundShortcutRunner was able to access some sensitive data even though the profile was within the sandbox.
How does the attack work?

To delve into the details of this vulnerability, the following steps outline the process to reproduce the issue:

The ’Expand URL’ function was the pivotal element that allowed the shortcut to bypass TCC. By leveraging this functionality, it became possible to transmit the base64-encoded data of a photo to a malicious website. The method involves selecting any sensitive data (Photos, Contacts, Files and Clipboard Data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.

To capture and save the base64 data as an image on the attacker’s end, a Flask program is employed. This program effectively captures the transmitted data, enabling the attacker to collect and store the sensitive information for potential exploitation. This nuanced approach highlights the intricate nature of the vulnerability, emphasizing the need for robust security measures to safeguard against such exploits.

# Endpoint to receive and save Base64-encoded image, overwriting the existing file
@app.route(’/’, methods=[’GET’])
def upload_image():
# Get the Base64-encoded image from the query parameter named ’image’
encoded_image = request.args.get(’image’, ’’)
if not encoded_image:
return "No image data provided."
try:
# Replace spaces with ’+’ characters in the Base64 data
encoded_image = replace_spaces_with_plus(encoded_image)
# Check if the provided data is a valid Base64 string
if not is_base64(encoded_image):
return "Invalid Base64 image data."
# Generate the filename for the text file (you may want to implement a more robust naming strategy)
text_filename = os.path.join(TEXT_FILES_FOLDER, ’base64_image.txt’)
# Save the Base64 data to the specified text file, overwriting any existing file
with open(text_filename, ’w’) as text_file:
text_file.write(encoded_image)
return "Base64 image data saved to a text file."
except Exception as e:
return f"Error saving Base64 image data: str(e)"

This is what the attack looks like on the user’s end after they install the malicious shortcut:

This vulnerability has received 7.5 in CVSS score making it a very high severity vulnerability.
Mitigation

To safeguard against this vulnerability, users are strongly advised to:

Update their macOS, ipadOS and watchOS devices to the latest versions.
Exercise caution when executing shortcuts from untrusted sources.
Regularly check for security updates and patches from Apple.

Apple Advisory:

Apple has assigned CVE-2024-23204 to this issue. CVEs are unique IDs used to uniquely identify vulnerabilites. The following describes the impact and description of this issue:

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

https://support.apple.com/HT214060

https://support.apple.com/HT214059

https://support.apple.com/HT214061