Developers warn of a vulnerability in the iOS mobile operating system of iPhone, iPad and iPod touch. Manipulated shortcuts for the Apple shortcut app could access system files that should be protected by the iOS sandbox after downloading.
A security hole in Apple Sandbox access control allows access to protected files on iPhone, iPad, and iPod touch.
The manipulated shortcuts can break out of Apple’s sandbox and access system files containing personal user data, security researchers warn. The sandbox restricts access to sensitive resources at the app level. It is, so to speak, a last line of defense against theft, corruption and deletion of user data. In addition, the sandbox is designed to prevent attackers from stealing system hardware by successfully exploiting vulnerabilities in apps.
For example, a sandboxed application may only use certain features if users have explicitly consented to it. Examples include access to hardware such as camera and microphone, as well as network connections or app data such as calendar, location and contacts. The user also has to agree to access user files such as downloads, pictures, music or movies.
Vulnerability in Apple Shortcut App
A vulnerability in the iOS operating system of iPhone, iPad and iPod touch now allows access to system files under certain conditions that should actually be protected by the iOS sandbox. This is the case when manipulated shortcuts are downloaded for Apple’s shortcut app. With the app, users can perform app tasks faster. On the respective iOS device, they can execute available shortcuts. You can also use the app to create your own shortcuts. The app is designed to simplify day-to-day tasks by combining steps from multiple apps and executing them one after the other in terms of a workflow. For example, users can create the “go browsing” shortcut, which displays the expected surfing report Estimated time of arrival on the beach and the playlist is played with surf music. The building blocks of the shortcut are the actions. Each action refers to a single step in a task. Users can mix and match actions. This allows them to create shortcuts that interact with the apps and content of the iOS device (iPhone, iPad, or iPod touch), as well as content and services from the Internet.
Accessing the iOS operating system with manipulated shortcuts
A simple directory traversal vulnerability in Apple’s Shortcut app now opens the door to otherwise protected directories that contain detailed data about how to use the device. As a directory traversal gap, developers refer to a vulnerability in a web server or web application. Attackers can access files and directories that are actually protected by simply entering URLs or manipulated shortcuts from the outside. For example, attack targets may include files containing sensitive information such as address information, credit card numbers, or passwords.
Apple Vulnerability: Sandbox Failed
The current vulnerability is Apple’s “Create Folder” action Shortcuts app possible to overcome the sandbox. To do this, it is sufficient to move up in the directory structure by means of a series of “../” commands in order to open a desired directory. The protection and control function of the sandbox apparently fails here. In tests, developers were able to show that system files can be read out and sent as a zip file via iMessage. In the described way it is possible to gain access to SMS databases, notes, usage information and other analytics data. The home networking protocol “HomeKit” Apple can also be stealing. And even cached images can be accessed, the developer notes Khaos Tian, who had discovered a serious HomeKit gap.
Shortcuts for Apple before downloading a detailed check
Although it seems for hackers currently no way to use the vulnerability remotely and without user interaction. However, attackers can provide manipulated shortcuts for download. Until Apple fixes the vulnerability in the shortcuts, shortcut users should first check downloaded shortcuts before running them.