A dangerous vulnerability in Apple Shortcuts has surfaced. This vulnerability could allow an attacker to access sensitive data across the device without requiring the user to grant permissions.
Apple’s Shortcuts app is designed for macOS and iOS and is aimed at automating tasks. For businesses, users can create macros to perform specific tasks on their devices and combine them into workflows for everything from web automation to smart factory functionality. These can be shared with colleagues and partners online through iCloud and other platforms.
according to Analysis by Bitdefender A vulnerability disclosed today (CVE-2024-23204) allows a malicious shortcut to bypass Apple’s Transparency, Consent, and Control (TCC) security framework, which ensures that apps explicitly request permissions. Allows files to be created. Receive a notification from you before accessing certain data or features.
This means that if someone adds a malicious shortcut to your library, sensitive data and system information can be silently stolen without giving you permission. Bitdefender researchers were able to extract data within encrypted image files with a proof-of-concept (PoC) exploit.
“Shortcuts are a widely used feature for efficient task management, so this vulnerability raises concerns that malicious shortcuts could be inadvertently spread across a variety of sharing platforms. “There are,” the report says.
This bug is a threat to macOS and iOS devices running versions earlier than macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and is rated 7.5 out of 10 (High) on the Common Vulnerability Scoring System (CVSS). Masu. Can be exploited remotely without the necessary privileges.
Apple has fixed the bug and is “urging users to ensure they are running the latest version of the Apple Shortcuts software,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender. .
Apple security vulnerabilities: becoming increasingly common
During October, Accenture published According to the report, there has been a 10x increase in dark web threat actors targeting macOS since 2019, and this trend is expected to continue.
This discovery is Sophisticated macOS information thieves Created to bypass Apple’s built-in detection.and Kaspersky researchers recently discovered macOS malware targeting Bitcoin and Exodus crypto wallets. This malicious software replaces legitimate apps with compromised versions.
Bugs will continue to be uncovered and initial access will be easier. For example, earlier this year Apple fixed a zero-day vulnerability (CVE-2024-23222). Safari browser’s WebKit enginecaused by type confusion errors and input validation assumptions that can lead to exploits.
To avoid bad outcomes from Apple in general, the report urges users to update their macOS, iPadOS, and watchOS devices to the latest versions, be careful when running shortcuts from untrusted sources, and take security precautions from Apple. We strongly recommend checking regularly for updates and patches.