February 23, 2024 at 09:27AM
A high-severity vulnerability, tracked as CVE-2024-23204, in Apple Shortcuts allowed attackers to access sensitive user information and system resources without user prompting. Cybersecurity firm Bitdefender discovered the issue, which bypassed Apple’s framework governing access permissions. The vulnerability was addressed with the release of iOS 17.3, iPadOS 17.3, and macOS Sonoma 14.3.
Key takeaways from the meeting notes on the Apple Shortcuts vulnerability:
– CVE-2024-23204 is a high-severity vulnerability impacting both iOS and macOS users, enabling attackers to access sensitive information without user prompting.
– The vulnerability allows bypassing of Apple’s Transparency, Consent, and Control (TCC) framework, a measure that governs access to sensitive user information and system resources.
– The issue is related to the Shortcuts background process and can bypass TCC, potentially allowing access to data even when in a sandbox.
– The vulnerability was addressed in January with the release of iOS 17.3, iPadOS 17.3, and macOS Sonoma 14.3, with Apple implementing additional permission checks to resolve the issue.
Users are advised to install the latest iOS and macOS patches to safeguard against this vulnerability.