Ahead of the release of the highly anticipated Apple iOS 17.4 update, a cybersecurity researcher has revealed that the iOS 17.3 update includes a patch for a “high severity” vulnerability that allows threat actors to access sensitive data on targeted devices without users’ knowledge.
In a blog post on Feb. 22, Jubaer Alnazi, a researcher at Bitdefender who discovered the security flaw, explained that the vulnerability originates from the Shortcuts app — a tool designed for automating tasks.
Threat actors can exploit this vulnerability to create malicious shortcuts that allow them to access sensitive data on targeted devices without users’ knowledge or permission.
The bug, tracked as CVE-2024-23204, “is rated 7.5 out of 10 and affects Mac OS and iOS devices running versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively,” Alnazi said.
How Attackers Can Exploit This Vulnerability
In a blog post, Alnazi explained that an attacker could create malicious shortcuts and spread them to unwitting users.
“This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-2304,” he said. “With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.”
A plausible scenario could be the attacker spreading this malicious shortcut via emails, social media, or other distribution methods to trick users into installing it. Once installed and executed, the shortcut could silently perform its intended malicious activities, sending the user’s data to the attacker’s server.
Technically speaking, the vulnerability allows Shortcuts files to bypass Apple’s Transparency, Consent, and Control (TCC) framework. TCC is meant to protect user data by requiring apps to obtain permission before accessing sensitive information.
The attack leverages the “ExpandURL” function within the Shortcuts app, Alnazi said. Thanks to this flaw, threat actors can gather and transmit sensitive user information (like photos and contacts) to an external server without triggering security alerts to request user consent.
How to Protect Your Device From This Flaw
Apple has addressed the flaw by implementing additional “permissions checks” in the Shortcuts application. We recommend updating your device to iOS 17.3 to benefit from the security patch. Ideally, set your device to receive automatic updates as they’re released.
Going forward, it’s important to exercise caution when executing Shortcuts from untrusted sources. For more cybersecurity tips, check out our guide to optimizing your iOS privacy settings.
The upcoming iOS 17.4 update — expected in March — will introduce major changes to the iOS ecosystem, including the ability to sideload apps. It will also introduce a new groundbreaking cryptographic protocol for iMessage.
Here’s a video showing how an attacker can exploit the Shortcuts vulnerability:
For more news, follow us on X (Twitter), Threads, and Mastodon!
