A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.
Apple's Shortcuts application, designed for macOS and iOS, is aimed at automating tasks.
For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions.
These can then be shared online through iCloud and other platforms with co-workers and partners.
According to an analysis from Bitdefender out today, the vulnerability makes it possible to craft a malicious Shortcuts file that would be able to bypass Apple's Transparency, Consent, and Control security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.
That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission.
In their proof-of-concept exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.
The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 on the Common Vulnerability Scoring System because it can be remotely exploited with no required privileges.
In October, Accenture published a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 - with the trend poised to continue.
The findings coincide with the emergence of sophisticated macOS infostealers created to bypass Apple's built-in detection.
Kaspersky researchers recently discovered macOS malware targeting Bitcoin and Exodus cryptowallets, with the malicious software substituting genuine apps with compromised versions.
Bugs also continue to come to light, making initial access easier.
Earlier this year Apple fixed a zero-day vulnerability in its Safari browser's WebKit engine, caused by a type confusion error, where input validation assumptions can lead to exploitation.
To avoid bad Apple outcomes in general, the report strongly advises users to update macOS, iPadOS, and watchOS devices to the latest versions, exercise caution when executing shortcuts from untrusted sources, and regularly check for security updates and patches from Apple.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 22 Feb 2024 20:51:07 +0000