Malicious Apple Shortcuts could bypass security features to steal data

Apple Shortcuts could be used to steal sensitive data from Apple devices due to a high-severity vulnerability.

Shortcuts is an app created by Apple that allows users to create customized task workflows on Apple devices and automate processes using a combination of built-in functions. Custom shortcuts can be exported and shared with other users, and shortcuts created by other users can be imported from the in-app Gallery section.

Apple originally disclosed and patched the issue last month with the releases of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3 and watchOS 10.3. Security advisories accompanying the releases stated, “A shortcut may be able to use sensitive data with certain actions without prompting the user” in older OS versions.

The vulnerability, tracked as CVE-2024-23204, was discovered by Senior Security Consultant Jubaer Alnazi Jabin of Horangi Cyber Security, which is owned by Bitdefender. On Thursday, Jabin published more details about the flaw on Bitdefender’s blog, revealing how a malicious shortcut could bypass Apple’s Transparency, Consent, and Control (TCC) security framework.

Exploiting the vulnerability would allow data, including photos, files, contacts and clipboard contents, to be transmitted to an attacker-controlled server without user permission.

Updating to the latest OS versions on iPhones, iPads, Mac computers and Apple Watches, or at least to the versions listed above, resolves the vulnerability, which has a CVSS score of 7.5.

Apple Shortcuts could communicate with malicious websites without alerting user

A key component of the Shortcuts exploit discovered by Jabin is the app’s “Expand URL” function. This is normally used to expand URLs that have been shortened using services like bit.ly and remove any excess parameters, such as UTM codes, from the URL.

However, when included in a malicious shortcut, this function could send sensitive data to an attacker’s server without prompting the user. This is despite the fact that the TCC security framework is designed to alert users upon attempts to access such data.  

“The shortcut is made of several actions, which selects the image, encodes it as base64 and then passes the encoded data to the Expand URL feature, which contains the attacker’s web service,” Bodgan Botezatu, director of threat research and reporting at Bitdefender, told SC Media in an email.

Botezatu explained that Expand URL makes a GET request to the domain of the URL being expanded. Jabin’s blog post describes how an attacker could use a Flask program to capture the base64 data sent through the request. Base64 encoding is also a built-in function that can be added to any Shortcut.

In essence, an attacker could craft a Shortcut including their own website as a URL to be expanded, disguise it to look like a different Shortcut, and publish it or send it to another user. When the user attempts to use the Shortcut, their data is sent to the attacker without the user’s knowledge.

Jabin demonstrated the exploit in a proof-of-concept video, showing how a Shortcut could be run on an unpatched version without a permission pop-up appearing to the user.

SC Media tested the Expand URL feature in the Shortcuts app on a phone running iOS 17.3, using a shortened URL of an SC Media article. Upon an attempt to run a Shortcut containing the Expand URL feature, a prompt was displayed reading “Allow ‘Expand URL’ to connect to ‘pages.cyberriskalliance.com’?”

In addition to installing the relevant updates, Jabin recommended users “exercise caution when executing shortcuts from untrusted sources.”