February 23, 2024 at 01:09AM
A high-severity security flaw in Apple’s Shortcuts app, CVE-2024-23204, was patched on January 22, 2024. The flaw allowed shortcuts to access sensitive data without user consent. Bitdefender researcher discovered the bug, stating it could bypass TCC policies and exfiltrate data to a malicious server. The vulnerability was fixed in iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.
The meeting notes from Feb 23, 2024, highlight the emergence of a high-severity security flaw in Apple’s Shortcuts app. This vulnerability, identified as CVE-2024-23204 with a CVSS score of 7.5, allowed shortcuts to access sensitive information on a device without users’ consent. The issue was addressed by Apple on Jan 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3, incorporating additional permissions checks to rectify the problem. It was revealed that Bitdefender security researcher Jubaer Alnazi Jabin discovered and reported the bug, which could bypass Apple’s Transparency, Consent, and Control (TCC) policies. The flaw stems from a shortcut action called “Expand URL,” enabling the transmission of Base64-encoded data to a malicious website, posing a potential risk for users who unknowingly import exploitative shortcuts shared within the Shortcuts community.