A process of the Shortcuts app, com.apple.WorkflowKit.BackgroundShortcutRunner, which executes shortcuts in the background on Apple devices can still, despite being sandboxed by TCC, access some sensitive data. This allows for crafting a malicious shortcut, which can then be circulated through Shortcut’s sharing mechanism.
“This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2023-23204,” Jabin said in a blog post. “With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms.”
The malicious shortcut makes use of an action function provisioned in the Shortcuts app, “Expand URL,” which allows for the expansion and cleaning up of any URL that has been previously shortened using shorteners such as t.co and bit.ly.
This function can be exploited to select any sensitive data within the device (Photos, Contacts, Files, and Clipboard Data), import it, and use base64 encoding to convert it for sending it to an attacker-controlled server, according to JABIN.
Apple releases yet another patch
The bug, which affects macOS before Sonoma 14.3, iOS before 17.3, and iPadOS before 17.3, has been consequently patched with additional permission checks.
In addition to applying the patches on all Apple devices, Jabin has advised Apple customers to exercise caution when executing shortcuts from untrusted sources.