Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.
Apple's Shortcuts application, designed for macOS and iOS, is aimed at automating tasks.
For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions.
These can then be shared online through iCloud and other platforms with co-workers and partners.
According to an analysis from Bitdefender out today, the vulnerability makes it possible to craft a malicious Shortcuts file that would be able to bypass Apple's Transparency, Consent, and Control security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.
That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission.
In their proof-of-concept exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.
The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 on the Common Vulnerability Scoring System because it can be remotely exploited with no required privileges.
In October, Accenture published a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 - with the trend poised to continue.
The findings coincide with the emergence of sophisticated macOS infostealers created to bypass Apple's built-in detection.
Kaspersky researchers recently discovered macOS malware targeting Bitcoin and Exodus cryptowallets, with the malicious software substituting genuine apps with compromised versions.
Bugs also continue to come to light, making initial access easier.
Earlier this year Apple fixed a zero-day vulnerability in its Safari browser's WebKit engine, caused by a type confusion error, where input validation assumptions can lead to exploitation.
To avoid bad Apple outcomes in general, the report strongly advises users to update macOS, iPadOS, and watchOS devices to the latest versions, exercise caution when executing shortcuts from untrusted sources, and regularly check for security updates and patches from Apple.


This Cyber News was published on www.darkreading.com. Publication date: Thu, 22 Feb 2024 20:51:07 +0000


Cyber News related to Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
31 Alarming Identity Theft Statistics for 2024 - Identity theft is a prevalent issue that affects millions of people annually. Although the numbers are startling, we've selected the 31 most concerning identity theft statistics to help you understand how to secure your identity. In 2022, the FTC ...
11 months ago Pandasecurity.com
Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft - A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions. Apple's Shortcuts application, designed for macOS and iOS, is aimed at ...
10 months ago Darkreading.com
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
10 months ago Darkreading.com
Apple fixes two new iOS zero-days in emergency updates - Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may ...
1 year ago Bleepingcomputer.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
10 months ago Hackread.com
The Role of Zero-Knowledge Proofs in LLM Chains - In today's digital age, data privacy has become a paramount concern for individuals and organizations alike. With the increasing amount of personal and sensitive information being stored and transmitted online, there is a growing need for robust ...
11 months ago Feeds.dzone.com
Zero Trust Security Framework: Implementing Trust in Business - The Zero Trust security framework is an effective approach to enhancing security by challenging traditional notions of trust. Zero Trust Security represents a significant shift in the cybersecurity approach, challenging the conventional concept of ...
10 months ago Securityzap.com
Zero-Trust Architecture in Modern Cybersecurity - Clearly, organizations need more robust cybersecurity protections in place, which is leading many to adopt a zero-trust architecture approach. Zero-trust flips conventional security on its head by shifting from an implicit trust model to one where ...
9 months ago Feeds.dzone.com
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
6 months ago Securityaffairs.com
Implementing Zero Trust and Mitigating Risk: ISC2 Courses to Support Your Development - PRESS RELEASE. Zero trust security is a proactive and robust approach to cybersecurity that addresses modern threats by continuously verifying and monitoring all network activities. While its implementation can be complex and resource-intensive, the ...
5 months ago Darkreading.com
Unmasking Identity Theft: Detection and Mitigation Strategies - In an increasingly digital world, the threat of identity theft looms large, making it imperative for individuals to be proactive in detecting potential breaches and implementing effective mitigation measures. This article delves into key strategies ...
11 months ago Cybersecurity-insiders.com
Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
7 months ago Bleepingcomputer.com
Apple emergency updates fix recent zero-days on older iPhones - Apple has issued emergency security updates to backport patches for two actively exploited zero-day flaws to older iPhones and some Apple Watch and Apple TV models. The two vulnerabilities, now tracked as CVE-2023-42916 and CVE-2023-42917, were ...
1 year ago Bleepingcomputer.com
The 7 Core Pillars of a Zero-Trust Architecture - The zero-trust framework is gaining traction in the enterprise due to its security benefits. Organizations are increasingly adopting a zero-trust model in their security programs, replacing the traditional perimeter-based security model. The ...
6 months ago Techtarget.com
Apple backports fix for RTKit iOS zero-day to older iPhones - Apple has backported security patches released in March to older iPhones and iPads, fixing an iOS Kernel zero-day tagged as exploited in attacks. The flaw is a memory corruption issue in Apple's RTKit real-time operating system that enables attackers ...
7 months ago Bleepingcomputer.com
Apple fixes first zero-day bug exploited in attacks this year - Apple released security updates to address this year's first zero-day vulnerability exploited in attacks that could impact iPhones, Macs, and Apple TVs. The zero-day fixed today is tracked as CVE-2024-23222 and is a WebKit confusion issue that ...
11 months ago Bleepingcomputer.com
iPhone Triangulation attack abused undocumented hardware feature - The Operation Triangulation spyware attacks targeting iPhone devices since 2019 leveraged undocumented features in Apple chips to bypass hardware-based security protections. This finding comes from Kaspersky analysts who have been reverse-engineering ...
11 months ago Bleepingcomputer.com
Apple 'Find My' network can be abused to steal keylogged passwords - Apple's "Find My" location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in keyboards. The Find My network and application is designed to help users locate lost or misplaced ...
1 year ago Bleepingcomputer.com
Navigating the Future: Zero Trust and SSE in Cybersecurity Leadership Strategies - This article delves into two potent concepts shaping the future of information security: Zero Trust and Security Service Edge. In this new reality, organizations require adaptable security measures to keep pace with the changing tides. At its ...
7 months ago Cybersecurity-insiders.com
Why a Zero Trust Security Policy Matters and Steps to Implementation - Adaptability: In a world where business operations span across multiple environments, from on-premises data centers to cloud-based applications, a flexible security approach is essential. Zero trust provides precisely that, ensuring that your ...
11 months ago Securityboulevard.com
Identity Verification and Access Control with No Trust Assumed - Zero trust is a security model that is becoming increasingly important in the world of cybersecurity. In 2023, we will see more vendors offering complete zero trust products and services, and more businesses attempting to implement it. Zero trust is ...
1 year ago Securityweek.com
Executing Zero Trust in the Cloud Takes Strategy - Zero trust is a high-level strategy that assumes that individuals, devices, and services attempting to access company resources, both externally and internally, can't automatically be trusted. Digital transformation, embracing of SaaS, remote work, ...
11 months ago Darkreading.com
Canada to ban the Flipper Zero to stop surge in car thefts - The Canadian government plans to ban the Flipper Zero and similar devices after tagging them as tools thieves can use to steal cars. The Flipper Zero is a portable and programmable pen-testing tool that helps experiment with and debug various ...
10 months ago Bleepingcomputer.com
Canada to ban the Flipper Zero to stop surge in car thefts - The Canadian government plans to ban the Flipper Zero and similar devices after tagging them as tools thieves can use to steal cars. The Flipper Zero is a portable and programmable pen-testing tool that helps experiment with and debug various ...
10 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)