EDITOR’S NOTE: CVE-2024-23204 has been patched. This article was written for educational and informational purposes, aiming to provide insights into the CVE-2024-23204 vulnerability. The intention is to raise awareness about cybersecurity issues and promote best practices for safeguarding digital assets.
The recent identification of CVE-2024-23204 highlights the significance of maintaining endless vigilance in terms of security. Apple’s Shortcuts application, originally developed to increase user productivity, has inadvertently emerged as a potential gateway for privacy breaches. This article will provide end-users, developers, and security analytics alike with comprehensive insights into the inherent nature of the vulnerability, clarifying potential implications, and delineating recommended mitigation strategies.
After extensive research, a vulnerability has been uncovered within Apple Shortcuts, allowing potential attackers to access sensitive data through specific actions without user prompting. Rated at 7.5 out of 10 in severity, this vulnerability impacts macOS and iOS devices running versions preceding macOS Sonoma 14.3 and versions preceding iOS 17.3 and iPadOS 17.3. This vulnerability was disclosed to Apple’s security team and has since been addressed. Software updates containing fixes for this vulnerability have been made available to affected users, emphasizing the importance of promptly applying updates to ensure device security and mitigate potential risks.
What Are Shortcuts and What Can They Do?
Shortcuts is an automation app designed for macOS and iOS devices, enabling users to create personalized workflows to streamline tasks and enhance productivity. With an intuitive interface, Shortcuts allows users to automate a variety of actions, from simple tasks such as sending messages to complex operations involving multiple applications. Users can combine various pre-built and custom actions to create intricate sequences tailored to their needs by leveraging a visual programming approach. Apple Shortcuts serves multiple purposes, enabling users to streamline tasks on macOS and iOS devices. It allows for the automation of various actions, from quick app tasks and device control to media management, messaging, and location-based actions. Users can create workflows for file management, health and fitness tracking, web automation, education, and the integration of smart home devices. Shortcuts offer a flexible and customizable way to enhance productivity, making routine tasks quicker and more efficient. Shortcuts cater to user preferences, providing a seamless and personalized experience on Apple devices.
Vulnerability Discovered In Shortcuts.
Shortcuts are distributed through various channels, including Apple’s gallery, where users can discover automation workflows to expedite tasks. Additionally, Shortcuts can be exported and shared among users, a prevalent practice within the Shortcuts community. This sharing mechanism allows for the potential reach of the vulnerability, as users may unknowingly import shortcuts that exploit CVE-2024-23204. Given the widespread use of Shortcuts for efficient task management, the vulnerability raises concerns about the accidental distribution of malicious shortcuts through diverse sharing platforms. CVE-2024-23204 demonstrated the potential to compose a Shortcuts file capable of bypassing the Transparency, Consent, and Control (TCC) Framework.
TCC, critical to macOS and iOS security architecture, governs access to sensitive user data and system resources by applications. It mandates that apps explicitly request permission from users before accessing certain data or functionalities, accordingly enhancing user privacy and security. Typically, the “com.apple.WorkflowKit.BackgroundShortcutRunner” process handles the execution of Shortcuts in the background on Apple devices. TCC prompts are designed to appear when an app or process attempts to access sensitive user data or system resources. Despite the assumption that com.apple.WorkflowKit.BackgroundShortcutRunner operated within the application sandbox, an analysis of the vulnerability revealed its ability to access sensitive data, highlighting potential security setbacks within the system.
How This Attack Works.
The crux of the matter lies in the utilization of the “Expand URL” function within Shortcuts, which serves as the linchpin for bypassing the Transparency, Consent, and Control (TCC) Framework. By exploiting this functionality, the shortcut is capable of transmitting the base64-encoded data of a photo to a malicious website. The process involves selecting sensitive data such as photos, contacts, files, or clipboard data within Shortcuts, importing it into the workflow, encoding it using the base64 encode option, and forwarding it to the designated malicious server A Flask program is employed to capture and retain the base64 data as an image on the attacker’s system. This program adeptly intercepts the transmitted data, allowing the attacker to retrieve and store the sensitive information for potential exploitation. This method emphasizes the problematic nature of the vulnerability, highlighting the imperative need for robust security measures to fortify against such exploits and protect user data from unauthorized access and exploitation.
Mitigation Strategies.
Mitigation measures are crucial to reduce the risks associated with this vulnerability. To fortify against potential exploitation, users are strongly recommended to undertake the following steps:
- Ensure macOS, iPadOS, and watchOS devices are promptly updated to the latest available versions. These updates often contain critical security patches and enhancements to bolster system resilience against vulnerabilities.
- Exercise vigilance and discretion when executing Shortcuts obtained from sources of uncertain trustworthiness. Avoid running shortcuts originating from unfamiliar or unverified sources to minimize the risk of inadvertently triggering malicious actions.
- Maintain a proactive approach by regularly checking for security updates and patches provided by Apple. Timely installation of these updates is essential to stay abreast of emerging threats and vulnerabilities, ensuring the ongoing protection of devices and safeguarding against potential security breaches.
