Aside from fixing the group FaceTime eavesdropping bug on iPhone, iPad and Mac with the iOS 12.1.4 software update and the macOS Mojave 10.14.3 Supplemental Update, Apple has also resolved a major security issue found recently within its Shortcuts app for iPhone and iPad.
As we reported last week, the app was plagued with a major oversight which let an attacker create and distribute a malicious shortcut that would collect contacts, addresses, files and other user data and send a ZIP file via iMessage to an attacker in the background.
Although App Store’s release notes accompanying today’s Shortcuts 2.1.3 update mention only unspecified bug fixes and improvements, a support document on Apple’s website offers detailed information about the security content of the update.
Hereby I release the malicious shortcut POC ( https://t.co/xa2KGHGnLL )that was mentioned by
@twolivesleftand by @EdFromFreelance in his article!
Fyi:apple doesnt treat this as a bug but as intended behavior “…so yea..:) let it do its job.
Pics/vids below(As @bzamayo pointed.— Avimanyu Roy (@AvimanyuRoy3) January 31, 2019
The first bug enabled a local user to view sensitive user information due to a parsing issue in the handling of directory paths that was addressed with improved path validation.
The other flaw, which circumvented Apple’s sandbox restrictions, was fixed as well. The security document credits Avimanyu Roy for reporting these issues.
“We would like to acknowledge Sem Voigtländer of Fontys Hogeschool ICT for their assistance,” the document reads.