iOS 17.3 Update Fixed Shortcuts Bug That Sent Data to Attackers

[ad_1]

A vulnerability in Apple Shortcuts, which allowed the transmission of sensitive data to attackers, was patched in iOS 17.3.

The exploit was spotted by Bitdefender, which outlined the issue today. It got a Common Vulnerability Score (CVSS score) of 7.5 out of 10, meaning it was a high-severity vulnerability. Bitdefender disclosed the issue to Apple, which issued a patch in iOS 17.3 last month.

Shortcuts is an automation tool that works on macOS and iOS devices. It lets people create workflows that streamline tasks, from creating GIFs and combining iPhone photos to automating favorite Tesla features.

However, Shortcuts are bound by some rules set by Apple. For example, they’re all supposed to adhere to Apple’s Transparency, Consent, and Control (TCC), a security framework that “governs access to sensitive user data and system resources by applications,” Bitdefender says. Thus, while Shortcuts can do plenty of things, there are checks to keep your privacy intact.

The malicious Shortcuts used the “Expand URL” function to bypass Apple’s TCC, making it possible for third parties to transmit data to malicious websites. These corrupted Shortcuts could steal photos, contacts, clipboard data, and other files. It would then encode the data in base64 and upload it to a website where it could be copied and stolen. (The above YouTube video shows how the exploit looks to the end user and the attacker.)

Recommended by Our Editors

As AppleInsider reports, the malicious Shortcuts could be shared between users through a link, potentially leading to a widespread infection. Shortcuts can contain hundreds of actions, which would make a malicious Shortcut difficult to identify for the majority of users.

Fortunately, the issue is pretty easy to avoid. Apple patched the exploit in the latest versions of iOS 17.3 and macOS Sonoma 14.3. So be sure to update all your devices.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.



[ad_2]

Leave a Comment