This flaw puts Apple users at risk


Mélina LOUPIA

February 26, 2024 at 12:10 p.m.

4

A vulnerability in an Apple app exposes its users - @ Laurenz Heymann / Unsplash

A vulnerability in an Apple app exposes its users – @ Laurenz Heymann / Unsplash

The flaw, located in the “Apple Shortcuts” application, exposes users’ data without their knowledge.

A critical security flaw has been discovered in Apple’s Shortcuts app, raising fears that sensitive data could be hacked without users’ knowledge. Called CVE-2024-23204, this vulnerability affects iOS and macOS versions. And although it can only be exploited by certain specific actions, it allows attackers to bypass Apple’s security system which protects access to sensitive data and system resources.

A vulnerability that exposes user data without their consent.

Apple Shortcuts, a useful but fragile app

Providing hundreds of built-in actions, Apple Shortcuts is an automation app that lets users streamline tasks on iOS and macOS, with custom workflows for file management, education, onboarding, and more. smart home, etc.

Versatile Apple Shortcuts simplify various tasks on macOS and iOS devices. They automate everything from application management to device control, media management, messaging, and location-based actions.

Users can create workflows for file management, health, fitness, web automation, education, and smart home integration. These flexible and customizable shortcuts improve productivity by making everyday tasks faster and more efficient. Whether automating common tasks or facilitating specific features, they respond to a variety of user preferences, providing a seamless and personalized experience on Apple devices.

The tactic: bypass the TTC

Reported by Bitdefender, the issue is related to the shortcuts background process and may bypass Transparency, Consent, and Control (TCC), which ensures that apps cannot access certain sensitive information unless until the user explicitly grants permissions.

Using the “Expand URL” function in a shortcut, the cybersecurity company successfully bypassed TCC, sending a photo’s base64-encoded data to a remote website. Bitdefender explains that this method involves selecting all sensitive data in the shortcuts, importing it, converting it to base64, and then transmitting it to the malicious server. That’s it, a hacker could easily use this method to exploit the data thus collected.

Apple corrects the situation

With a score of 7.5/10 on the CVSS scale, this flaw presents a high risk because it can be exploited remotely without specific privileges. Apple has already rolled out a fix, but it’s vital to make sure your Shortcuts app is up to date.

The vulnerability was fixed in January with the release of iOS 17.3 and iPadOS 17.3, as well as macOS Sonoma 14.3. Apple said it fixed the issue with additional permission checks.

A shortcut can allow sensitive data to be used with certain actions without the user being informed », It is indicated on customer support.

Users are advised to install the latest iOS and macOS patches as soon as possible.

Best antivirus for Mac, the comparison in February 2024

If Macs have long been relatively spared from viruses and malware, those days are definitely over. Victims of their success, Apple computers based on the latest version of the macOS Sonoma system are more than ever in the sights of cybercriminals.
Read more

Source: Security Week, Apple, BitDefender

Mélina LOUPIA

Mélina LOUPIA

Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from...

Read other articles

Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from the Facebook generation that still fascinates the internal war between Mac and PC. As a wise woman, the Internet, its tools, practices and regulations are among my favorite hobbies (that, lineart, knitting and bad jokes). My motto: to try it is to adopt it, but in complete safety.

Read other articles





Source link -99