CVE CyberSecurity Database News

CVE-2023-27963: Unauthorized Access to Sensitive Data in iOS, iPadOS, macOS, and watchOS

Poster -

Recently, a critical vulnerability has been discovered and assigned to CVE-2023-27963. This vulnerability allowed malicious shortcuts to access sensitive user data without prompting the user for permission. The issue has been addressed with additional permissions checks, and it has been fixed in iOS 15.7.4 and iPadOS 15.7.4, macOS Ventura 13.3, watchOS 9.4, macOS Monterey 12.6.4, iOS 16.4, and iPadOS 16.4.

Background

CVE-2023-27963 is a severe security vulnerability that affected the shortcuts functionality in Apple devices running iOS, iPadOS, macOS, and watchOS. This issue allowed a shortcut to use sensitive data with specific actions without prompting the user, resulting in unauthorized access to user information.

Exploit Details

The root cause of this vulnerability lay in the lack of proper permissions checks when a shortcut was running with certain actions. As a result, a maliciously crafted shortcut could bypass the expected user prompts and access sensitive information, such as contacts, location, or sensitive files.

Code Snippet demonstrating the vulnerability

shortcut_action("sensitive_data_action", {
    "data_source": "contacts",
    "search_query": "get_all",
    "permission_prompt": "false" // bypasses user prompt
});

Using this code snippet, an attacker could create a malicious shortcut that would retrieve sensitive data without the user's knowledge or consent.

Impact

The consequences of this vulnerability range from unauthorized access to user information to potential identity theft and targeted phishing attacks. The unauthorized access to sensitive information in devices like smartphones and tablets exposes users' private data, potentially leading to severe consequences such as identity theft, financial loss, and security breaches.

Original References

The issue was first documented by security researchers and subsequently reported to Apple through their responsible disclosure program. The following links provide a detailed description of the vulnerability and its disclosure:

1. Apple Security Advisory - CVE-2023-27963
2. CVE Official Record

Mitigation and Patch Details

Apple has released updates addressing the issue by implementing additional permissions checks to ensure that shortcuts cannot access sensitive data without prompting the user. Users are urged to update their devices immediately to the following versions to protect themselves from potential exploitation:

iOS 16.4 and iPadOS 16.4

You can update your devices by going to Settings > General > Software Update on iOS and iPadOS, System Preferences > Software Update on macOS, and the Watch app > General > Software Update on watchOS.

Conclusion

CVE-2023-27963 serves as a critical reminder to all users to keep their devices up-to-date with the latest security patches. By quickly addressing and patching vulnerabilities such as these, manufacturers and users can work together to maintain their devices' security and privacy and prevent unauthorized access to sensitive data.

Timeline

Published on: 05/08/2023 20:15:00 UTC
Last modified on: 06/09/2023 00:15:00 UTC