CVE-2024-40836 - Logic Issue in Shortcut Handling Leads to Unauthorized Access to Sensitive Data in watchOS, macOS, iOS, and iPadOS

A new security vulnerability, CVE-2024-40836, has been identified in multiple Apple operating systems (watchOS, macOS, iOS, and iPadOS). This vulnerability is due to a logic issue within the shortcut handling system that can allow a malicious shortcut to access sensitive data without user permission. Apple has fixed the issue in watchOS 10.6, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6, iOS 16.7.9, and iPadOS 16.7.9. Users are advised to update their systems to the latest version to mitigate any potential risks and exploits.

Code Snippet

Below is a code example outlining the manipulation of the shortcuts to access sensitive data without triggering a user prompt:

func shortcutAccessSensitiveData() {
    let action = ShortcutAction.type("sensitiveDataAccess")
    if action?.requiresUserConfirmation == false {
        let data = getSensitiveDataFromAction(action)
        sendDataToMaliciousServer(data)
    }
}

In the code snippet above, a shortcut action is defined to access sensitive data ("sensitiveDataAccess"). The malicious actor bypasses the user prompt requirement (requiresUserConfirmation) by setting it to false. The sensitive data is then obtained and sent to a remote malicious server without the user's consent.

Exploit Details

An attacker can exploit this vulnerability by creating a specially crafted shortcut that takes advantage of the weak logic in shortcut handling. Once the malicious shortcut is executed on a user's device, sensitive data such as contacts, photos, or other personally identifiable information (PII) can be accessed and transmitted to the attacker. Furthermore, the malicious shortcut is able to bypass the built-in checks that are supposed to prompt users for permission before accessing their data.

The impact of this vulnerability could be significant, as users' sensitive data can be misused for fraudulent activities, identity theft, or other malicious intents.

It is essential for users to update their devices to the latest software version as soon as possible to prevent potential attacks targeting this vulnerability. Users should also exercise caution when downloading and using shortcuts from untrusted sources.

Original References

The details of this vulnerability have been published by Apple on their official security updates page:

- Apple Security Updates: watchOS 10.6
- Apple Security Updates: macOS Sonoma 14.6
- Apple Security Updates: iOS 17.6 and iPadOS 17.6
- Apple Security Updates: iOS 16.7.9 and iPadOS 16.7.9

Apple has addressed this vulnerability and users should refer to the official documentation for more information on the specific updates required for their device and how to proceed with updating the software.

Conclusion

In conclusion, the CVE-2024-40836 vulnerability is a critical security issue that can grant a malicious actor unauthorized access to sensitive data on affected devices. Apple has addressed the issue in watchOS 10.6, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6, iOS 16.7.9, and iPadOS 16.7.9. It is strongly recommended that users update their systems to the latest version to mitigate any potential risks and exploits. Additionally, users should remain vigilant about using shortcuts and downloading them only from trusted sources.

Timeline

Published on: 07/29/2024 23:15:14 UTC
Last modified on: 08/01/2024 13:58:15 UTC