Apple’s Shortcuts application has been found to have a potentially dangerous vulnerability that could allow attackers to access sensitive data without the need for user permission. The vulnerability is known as CVE-2024-23204 and was discovered by Bitdefender, a cybersecurity company.
The Shortcuts app is designed to automate tasks on macOS and iOS devices, allowing users to create macros and workflows for various functions. However, the recently uncovered vulnerability allows for the creation of malicious Shortcuts files that can bypass Apple’s security framework, enabling unauthorized access to sensitive data and system information.
According to Bitdefender, the exploit involves adding a malicious shortcut to the user’s library, which can then silently gather data without requiring user permission. The researchers were able to demonstrate this by exfiltrating data in an encrypted image file as part of their proof-of-concept (PoC).
The severity of the bug is rated 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS), indicating a high level of risk. It can be remotely exploited without the need for user privileges, posing a significant threat to devices running versions of macOS and iOS preceding Sonoma 14.3, iOS 17.3, and iPadOS 17.3.
Apple has moved quickly to patch the vulnerability, and users are strongly advised to ensure they are running the latest version of the Apple Shortcuts software. Bogdan Botezatu, the director of threat research and reporting at Bitdefender, emphasized the importance of updating the software to mitigate the risk posed by the vulnerability.
This latest security issue with Apple Shortcuts is just one in a series of vulnerabilities that have affected macOS and iOS devices. A recent report from Accenture revealed a substantial increase in Dark Web threat actors targeting macOS since 2019, with the trend showing no signs of slowing down.
In addition to the rise in threat actor activity, there has been a surge in the development of sophisticated infostealers and malware targeting macOS devices. Kaspersky researchers recently uncovered macOS malware designed to target Bitcoin and Exodus cryptowallets, highlighting the growing concern around the security of Apple’s operating systems.
Furthermore, other bugs and vulnerabilities have come to light, making initial access to devices easier for malicious actors. Apple recently fixed a zero-day vulnerability in its Safari browser’s WebKit engine, which could have been exploited to compromise user security.
To mitigate these security risks, users are strongly encouraged to update their macOS, iPadOS, and watchOS devices to the latest versions, exercise caution when executing shortcuts from untrusted sources, and regularly check for security updates and patches from Apple. These measures are crucial in protecting against potential security threats and ensuring the safety of user data on Apple devices.