Bitdefender Discovers Critical Vulnerability CVE-2024-23204 in Apple Shortcuts

Cybersecurity firm Bitdefender has recently unearthed a significant security flaw in Apple’s popular automation app, Apple Shortcuts. This vulnerability, rated at 7.5 out of 10 in severity, poses a serious risk to user data and privacy.

The Vulnerability: CVE-2024-23204

Bitdefender’s blog post, published on February 22, 2024, sheds light on this critical issue. The vulnerability, tracked as CVE-2024-23204, allows attackers to create malicious shortcut files that bypass Apple’s security framework for both macOS and iOS.

Apple Shortcuts: A Brief Overview

Apple Shortcuts is an automation app widely used by macOS and iOS users. It empowers individuals to streamline tasks by creating personalized workflows through visual programming. These workflows automate various actions, including app control, media management, messaging, and location-based tasks. Users can tailor workflows for file management, health tracking, web automation, education, and smart home integration, enhancing overall productivity and user experience.

The Vulnerability Explored

The flaw resides in the shortcut sharing/expanding mechanism within Apple’s Shortcuts community. This community serves as a hub for users to discover and expedite automation workflows and export and share their shortcuts.

CVE-2024-23204 enables attackers to stealthily import shortcuts that exploit the Transparency, Consent, and Control (TCC) security framework in macOS and iOS. This framework is crucial in safeguarding user privacy and security by mandating explicit permission before granting access to sensitive data or functionalities.

This flaw allows attackers to manipulate base64-encoded photo data and transmit the target to malicious websites.

The Attack Process

1. Select Sensitive Data: Attackers identify sensitive information within the Shortcuts app.
2. Import and Encode: The attacker imports the data and converts it using the base64 encode option.
3. Transmit to Server: The encoded data is then forwarded to a server via the ‘Expand URL’ function.
4. Data Capture: A Flask program captures the transmitted data, providing the attacker with a repository for exploitation.

Fortunately, Apple has addressed this issue in the following software versions:

• macOS Sonoma 14.3
• watchOS 10.3
• iOS 17.3
• iPadOS 17.3

The Vulnerability in Action:

This incident underscores the importance of ongoing security vigilance when using Apple Shortcuts. To safeguard your privacy:

• Keep Software Updated: Ensure you are running the latest macOS, iPadOS, and watchOS versions.
• Exercise Caution: Be wary when executing shortcuts from untrusted sources.
• Regularly Check for Updates: Stay informed about Apple’s security patches.