A critical shortcuts vulnerability has been fixed in iOS 17.3.

Apple#039;s Shortcuts App

According to research conducted by Bitdefender before iOS 17.3, a malicious shortcut update may hijack sensitive data such as photos and send them to the attacker.

iOS, iPadOS, and macOS have built-in shortcuts that allow users to use automation tools. These shortcuts can be passed between users via a link, which can lead to the malicious shortcut being widely distributed.

According to Bitdefender research reviewed by AppleInsider, an unsuspecting shortcut user could receive a shortcut that attacks a vulnerability in the Transparency, Consent and Control (TCC) system designed to protect users from data theft. Typically, TCC requests occur when an application or shortcut tries to access sensitive information or system resources, but the vulnerability bypassed this check.

A malicious shortcut using the URL Extension feature can bypass TCC and transmit Base64-encoded photo, contact, file, or clipboard data to a website. The Flask program on the attacker's side will capture and save the transmitted data for possible use.

Users who checked all new shortcuts downloaded to their device could avoid this issue. The steps to perform the actions are visible in the shortcut, but may not be noticeable to those who do not know what to look for — especially since some shortcuts can contain hundreds of actions.

Apple has assigned this issue CVE-2024-23204.

How to protect yourself from the vulnerability of shortcuts


The easiest way to avoid problems with a vulnerability is to update it. Recent operating systems have addressed the issue with additional permission checks.

Update to iOS 17.3, iPadOS 17.3, or macOS Sonoma 14.3 to fix the Shortcuts vulnerability. Bitdefender has classified the issue as a CVSS score of 7.5 out of 10, making it a Very Severe vulnerability.

Leave a Reply