Researchers describe Apple’s recent zero-click shortcuts vulnerability

Zero-Click Shortcuts Vulnerability

Details have emerged about a now-patched, high-severity vulnerability in Apple’s Shortcuts app that could allow a shortcut to access sensitive information on the device without the user’s consent.

The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024 with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3And viewOS 10.3.

“A shortcut could potentially use sensitive data for certain actions without prompting the user,” the iPhone maker said in an advisory, stating that the issue was resolved with “additional permission checks.”


Apple Shortcuts is one scripting application which allows users to create personalized workflows (also called macros). to carry out specific tasks on their devices. It is installed by default on iOS, iPadOS, macOS and watchOS operating systems.

Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reported the Shortcuts bug, said it can be weaponized to create a malicious shortcut so it can bypass Transparency, Consent, and Control.TCC) policy.

TCC is an Apple security framework designed to protect user data from unauthorized access without requiring appropriate permissions first.

Specifically, the flaw is rooted in a shortcut action called ‘expand URL’, which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service such as or, while also UTM tracking parameters.

“Using this functionality made it possible to send a photo’s Base64 encoded data to a malicious website,” says Alnazi Jabin. explained.


“The method involves selecting sensitive data (photos, contacts, files and clipboard data) within Shortcuts, importing it, converting it using the base64 encoding option and finally forwarding it to the malicious server.”

The exfiltrated data is then captured and stored as an image on the attacker’s side using a Flask application, paving the way for follow-up exploitation.

“Shortcuts can be exported and shared between users, a common practice in the shortcut community,” the researcher said. “This sharing mechanism increases the potential reach of the vulnerability as users unknowingly import shortcuts that could exploit CVE-2024-23204.”

#Researchers #describe #Apples #zeroclick #shortcuts #vulnerability

Notify of
Inline Feedbacks
View all comments
Previous Post
Generative AI

Microsoft releases PyRIT: a Red Teaming tool for generative AI

Next Post
FTC slaps Avast with $16.5 million fine for selling users' browsing data

FTC slaps Avast with $16.5 million fine for selling users’ browsing data

Related Posts