Apple Shortcuts vulnerability enables zero-click data theft

Bitdefender is reporting a  vulnerability within Apple's Shortcuts application, affecting both macOS and iOS devices. Devices running versions prior to macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3 are vulnerable to this exploit.

Apple Shortcuts is an automation tool available on macOS, iOS, and iPadOS devices, designed to streamline and automate tasks. Users can create custom workflows for a variety of tasks, ranging from simple commands to complex operations involving multiple apps.

The vulnerability, tracked as CVE-2024-23204 (CVSS score 7.5),  enables attackers to bypass the Transparency, Consent, and Control (TCC) framework of macOS and iOS. TCC is designed to safeguard user privacy by ensuring that apps request explicit permission before accessing sensitive data or system resources. CVE-2024-23204 allows for the creation of malicious Shortcuts files capable of silently exfiltrating sensitive information without user consent.

The attack is executed through a malicious shortcuts file sent to the user, which may have some beneficial effect, but the in the background it bypasses the operating system permission controls to steal data.

The vulnerability exploits the "Expand URL" function within the Shortcuts application, enabling attackers to encode sensitive data (such as photos, contacts, and clipboard content) in base64 format and transmit it to a malicious server. A service listener program on the attacker's end captures this data, completing the theft of information.

To protect against CVE-2024-23204, users are urged to update their devices to the latest versions of macOS, iOS, and iPadOS. Apple has addressed the issue through software updates that include additional permissions checks, mitigating the risk of unauthorized data access.