Experts have warned that the popular iOS productivity app has flaws that allow malicious actors to borrow sensitive knowledge from the vulnerable device.
The app in question is called Apple Shortcuts and acts as a nifty little widget that allows apps to interact with each other on express tasks and thus generate useful actions, such as applying it to the user’s location, calculating how long it would take to get there. home and send this data via text message to a contact.
Now, The Hacker News reports that the shortcuts had a high-severity flaw that allowed unknown Americans to access data stored on the device, without the user’s consent. The flaw is known as CVE-2024-23204 and has a severity score of 7. 5.
“A shortcut could allow sensitive data to be used with certain movements without the user’s knowledge,” Apple said in the advisory published with its patch for the flaw. The vulnerability has been consistent with “additional permission checks. “
While Apple’s explanation is arguably purely theoretical, that of Bitdefender security researcher Jubaer Alnazi Jabin is much more practical. Jabin, who was the first to report the bug to Apple, said the flaw can also be abused to create a malicious shortcut that can also circumvent Transparency, Consent, and Control (TCC) policies, Apple’s knowledge coverage framework.
Explaining how the flaw works, Jabin said that shortcuts have an “Expand URL” action, which expands shortened URLs and removes them from UTM tags.
“By exploiting this feature, it is possible to transmit the data of a Base64-encoded photo to a malicious website,” Jabin said. “The method is to select all sensitive data (photos, contacts, files, and clipboard data) from the shortcuts, import it, convert it using the base64 encoding option, and then transmit it to the malicious server. “
The knowledge can then be stored as a Flask symbol. “Shortcuts can be exported and shared between users, a common practice in the shortcut community,” the researcher said. “This sharing mechanism expands the potential scope of the vulnerability, as users unknowingly import shortcuts that can exploit CVE-2024-23204. “
Sead is a veteran freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, knowledge breaches, legislation, and regulations). Over the course of his career, which spans more than a decade, he has written for media outlets, including Al Jazeera Balkans. He has also facilitated several modules on content writing for Represent Communications.
Microsoft denounces Google’s dominance in generative AI pending European investigation
Millions of users may have suffered a data breach after a new security breach at a French government agency
Strong Galaxy S24 Plus sales prove Samsung was right to stick with its middle child
TechRadar is from Future US Inc. , a leading foreign media organization and virtual publisher. Visit our corporate website.