One of Apple’s best iOS productivity tools had a pretty concerning security flaw, so patch now

Home / QSOL IT News / Apples / One of Apple’s best iOS productivity tools had a pretty concerning security flaw, so patch now

Experts have warned popular iOS was flawed in a way that allowed threat actors to steal sensitive data from the vulnerable device.

The app in question is called Shortcuts, and it acts as a nifty little -saving widget that allows apps to interact with one another on specific and thus generate actions, such as using it to determine the user’s , calculate how much time it would take to get home, and send that information via SMS, to a contact. 

Now, The Hacker is reporting that Shortcuts carried a high severity flaw that allowed unidentified individuals to access sensitive information, stored on the device, without user consent. The flaw is tracked as CVE-2024-23204, and holds a severity score of 7.5.

Bypassing email security

“A shortcut may be able to use sensitive data with certain actions without prompting the user,” Apple said in the advisory published with its patch for the flaw. The was fixed with “additional permissions checks.”

While Apple’s explanation might be purely theoretical, one from Bitdefender security researcher Jubaer Alnazi Jabin is a lot more . Jabin, who was the one to report the bug to Apple in the first place, said the flaw could be abused to create a malicious shortcut capable of working around Transparency, Consent, and Control (TCC) policies – Apple’s data protection framework. 

Explaining how the flaw works, Jabin said Shortcuts have an action called “Expand URL”, which expands shortened URLs and clears them of UTM tags.

“By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Jabin said. “The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”

The data can then be saved as an image via Flask. “Shortcuts can be exported and shared among users, a common practice in the Shortcuts ,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”

More from TechRadar Pro

Source link

Related Post

Microsoft earnings press release available on Investor Relations

REDMOND, Wash. — Jan. 29, 2025 — Microsoft Corp. on Wednesday announced that fiscal year 2025 second-quarter financial results are

AI, conference call, Financial Results, Investor Relations, Microsoft, Microsoft Earnings Results, Press Releases, Syndicated, Technology

Cybersecurity Threat Advisory: Apple iOS zero-day vulnerability

Apple has released critical security updates to address an actively exploited  zero-day vulnerability, tracked as CVE-2025-24085. Continue reading this Cybersecurity

app, Apple, cybersecurity, Cybersecurity Threat Advisory, day vulnerability, Featured, iOS, Security, Syndicated, Zero, zero-day

Let’s Set Up Passkeys: The Easy, Secure Way!

Explore the easy setup of passkeys for phishing-resistant authentication.

app, authentication methods, cybersecurity, Entra, passkeys, phishing, Science, Syndicated

The value of AI: How Microsoft’s customers and

Organizational leaders in every industry around the world are evaluating ways AI can unlock opportunities, drive pragmatic innovation and yield

AI, app, Azure, Azure AI, Azure AI Foundry, Azure AI Studio, Azure Arc, Azure OpenAI Service, Azure Stack HCI, Business, Copilot, Copilot Studio, copilots, Featured, Microsoft, Microsoft Fabric, Microsoft Ignite 2024, Organizational leaders, Security, Syndicated, Technology, The Official Microsoft Blog, transformation