iPhones that have not updated to iOS 17.3 are at high risk of having sensitive data stolen due to vulnerabilities in the Shortcuts application.
According to Apple Insider, a Bitdefender study shows that devices that have not updated to iOS 17.3 version will be less secure, as a malicious vulnerability exists in the Shortcuts application that can steal sensitive data and send it to them. for the attacker.
The Shortcuts app is built into iOS, iPadOS, and macOS to give users the ability to quickly and easily build automation shortcuts. These action shortcuts can be shared between users via a link, which could lead to a malicious shortcut being shared in an uncontrolled manner.
According to Bitdefender’s research, an uninformed Shortcuts user could be exploited or accidentally receive a shortcut that exploits vulnerabilities in Transparency, Consent, and Control (TCC) – the system that protects users. from having your data stolen. Normally, a TCC warning would appear when an application or shortcut tries to access sensitive information or system resources, but the vulnerability bypasses this check.
Specifically, a malicious shortcut can take advantage of the ‘Expand URL’ feature to bypass TCC and send base64 encoded data of photos, contacts, files, or clipboard data to a web address. A Flask program on the attacker’s server collects and stores this transmitted data for possible future exploitation. Apple has identified this vulnerability as CVE-2024-23204.
The simplest way to avoid risks is to update the operating system to iOS 17.3.1, iPadOS 17.3.1, or macOS Sonoma 14.3, which has been patched for Shortcuts vulnerabilities. Bitdefender classifies this issue as high risk due to its potential to exploit sensitive user data
