CVE-2024-23204 Detection: Exploitation of a Recently Patched Vulnerability in Apple Shortcuts App Can Lead to User Data Theft

[post-views]
February 27, 2024 · 4 min read
CVE-2024-23204 Detection: Exploitation of a Recently Patched Vulnerability in Apple Shortcuts App Can Lead to User Data Theft

Apple has patched a notorious security gap affecting its Shortcuts app. The high-severity flaw enables adversaries to collect sensitive info without user consent. The uncovered zero-click Shortcuts vulnerability tracked as CVE-2024-23204 poses risks to user privacy, enabling threat actors to access sensitive data on the compromised device without the user’s permission.

Detect CVE-2024-23204 Exploits

With an exponential rise in attack volumes and sophistication, the threat landscape of 2024 is assumed to be even more challenging than last year. The cost of cyber attacks on the global economy is estimated to top US$10.5 trillion by the end of 2024. Taking into account 29K+ new CVEs discovered in 2023, with a 14,5% surge predicted for 2024, security professionals require advanced solutions to detect and defend from threats proactively. 

SOC Prime’s Platform for collective cyber defense offers the world’s largest collection of behavior-based detection algorithms to detect attackers’ TTPs, backed by innovative threat hunting and detection engineering solutions created to streamline SOC operations. 

To assist cyber defenders in identifying malicious activity associated with CVE-2023-23204 exploitation, Threat Detection Marketplace aggregates a curated Sigma rule helping to spot a downloaded Apple shortcut file, potentially indicating an attempt to exploit the vulnerability in the limelight. Attackers might use this vulnerability to initiate phishing campaigns and gain initial access to victim environments. 

Possible CVE-2024-23204 (MacOS Sensitive Data Usage Without Prompting A User) Exploitation Attempt (via file_event)

The rule above is compatible with 20 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework v14.1, addressing the Initial Access tactic and Phishing (T1566) as the main technique. The rule is enriched with extensive metadata, including CTI and ATT&CK references, attack timelines, and more. 

Security professionals seeking more Sigma rules addressing CVE exploitation can drill down to the dedicated detection stack of more than 1,000 algorithms by hitting the Explore Detections button below. 

Explore Detections

CVE-2024-23204 Analysis

A recent discovery by cybersecurity researchers has revealed a vulnerability in Apple’s Shortcuts app, known as CVE-2024-23204, which reaches a CVSS score of 7.5. Apple Shortcuts is a highly popular tool that enables simplifying tasks across macOS and iOS devices, like offering automated capabilities for quick app tasks, device management, media handling, messaging, and location-based activities. Adversaries can weaponize this high-severity vulnerability to create a malicious shortcut that bypasses TCC policies.

Jubaer Alnazi Jabin from Bitdefender unveiled the security issue and provided its in-depth overview and technical details. The flaw lies within the “Expand URL” shortcut action designed to expand and sanitize URLs shortened by relevant services, while also eliminating UTM tracking parameters. Abusing these shortcut capabilities involves selecting sensitive information within the Shortcuts app, importing and encoding it via base64, and then sending it to the adversary server. The captured data is subsequently stored as an image on the attacker’s server through a Flask app, creating opportunities for further exploitation. The sharing feature in Shortcuts amplifies the vulnerability’s risks, as users can readily import shortcuts that weaponize the flaw.

Apple addressed the flaw on January 22, 2024, with the launch of a set of product versions, iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3. As CVE-2024-23204 mitigation measures, Apple users should promptly upgrade their devices to the latest versions, stay vigilant when running shortcuts obtained from untrusted sources, and keep updated to be in sync with relevant fixes introduced by the vendor.

To eliminate the risks of CVE-2024-23204 exploitation and its harmful impact, defenders should encourage cyber vigilance across the organization’s infrastructure. Leveraging Attack Detective, security engineers can gain attack surface visibility in real time and in an automated fashion, timely investigate risks, and find breaches before adversaries are ready to strike.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts