New Apple Shortcuts Flaw Exposes Sensitive Data

Sophia Taylor

By Sophia Taylor


In a recent revelation by cybersecurity experts at Bitdefender, a significant vulnerability within the Apple Shortcuts application, identified as CVE-2024-23204, has raised concerns over data privacy and security for macOS and iOS users.

This flaw, with a severity score of 7.5 out of 10, compromises user data by allowing unauthorized access through specially crafted Shortcuts files. The discovery underscores the urgency for users to update their devices to the latest software versions to safeguard against potential data theft.

Understanding the Vulnerability

Apple Shortcuts, the intuitive automation tool for macOS and iOS, empowers users to streamline a variety of tasks such as app management, media, messaging, and more through visual programming.

Despite its utility in enhancing productivity and integrating smart technologies into daily routines, the application has become the focal point of security scrutiny.

The flaw, specifically found within the shortcut sharing and expansion mechanism, manipulates the Transparency, Consent, and Control (TCC) framework of Apple’s operating systems.

This framework is pivotal in protecting user privacy by controlling app permissions. CVE-2024-23204 facilitates the importation of malicious shortcuts capable of bypassing these protections, leading to unauthorized data access.

The Mechanism of Exploit

Researchers illustrate the exploit process involving the ‘Expand URL’ function within the Shortcuts app. Attackers are able to encode sensitive data in base64 format and transmit it to external servers through this function. A server-side Flask application then captures and stores this data for further malicious use.

The vulnerability has been addressed in the latest updates for macOS (Sonoma 14.3), iOS (17.3), iPadOS (17.3), and watchOS (10.3), highlighting Apple’s prompt response to the issue.

Here’s a demonstration of the threat in action:

Recommendations for Users

In light of these findings, users are urged to immediately update their devices to the aforementioned versions to mitigate risk. Additionally, exercising caution when importing shortcuts from unfamiliar sources and staying informed about ongoing security updates from Apple are critical steps in maintaining data security.

Broader Implications for Apple’s Security Reputation

The identification of CVE-2024-23204 is part of a growing list of vulnerabilities affecting Apple devices, challenging the perceived invulnerability of Apple products against security threats.

Notable incidents in the past year, including a critical alert for the Safari WebKit browser engine and the discovery of the iLeakage vulnerability, highlight the evolving landscape of cybersecurity threats facing Apple users.

As Apple continues to address these vulnerabilities through updates and security patches, the importance of user vigilance and prompt software updates cannot be overstated. By adhering to recommended security practices, users can play a significant role in safeguarding their personal data against emerging threats.