In the world of technology, a new threat affecting Apple products has been discovered. This time, the vulnerability applies to the “fast commands” application – a tool for creating user automated tasks, which is built into the iOS, iPadOS, MacOS, and WatchOS operating systems.
The problem, identified as CVE-2024-23204 and assessed with a severity of 7.5 points on the CVSS scale, allows unauthorized access to confidential information on the target device using a shortcut without the user’s consent.
The vulnerability was discovered by security specialist Jubaer Alnazi Dzhabin from Bitdefender. He explained that attackers can create a malicious macro in the Shortcuts application, bypassing Apple’s TCC policy, which is designed to protect users from unauthorized access.
The issue is based on the “expand URL” function in the Shortcuts application, which is intended to abbreviate addresses and delete tracking parameters. Attackers can use this functionality to encode any user files in base64 and transmit them to a controlled malicious site.
Alnazi Dzhabin further elaborated: “The method involves selecting confidential data such as photographs, contacts, files, and clipboard data in the Shortcuts application, encoding them using Base64, and ultimately transferring them to a malicious server.”
The operation of this vulnerability poses a serious threat as the Shortcuts application allows users to export and share created macros, expanding the potential for attacks.
Apple responded promptly to the situation by releasing updates for its operating systems on January 22, 2024. Protections against this threat were introduced in iOS 17.3, iPadOS 17.3, MacOS Sonoma 14.3, and WatchOS 10.3. Details of the vulnerability were disclosed a month later to allow as many users as possible to update to the secure OS version.
If you have not updated your Apple device yet, it is crucial to do so immediately to mitigate the potential exploit of the CVE-2024-23204.