Malicious Shortcuts
I’ve just been made aware (by @AvimanyuRoy3) that it is trivially easy to steal highly sensitive & personal information from an iPhone via Shortcuts
Just browsing through the malicious Shortcut is mind blowing
You’ll be unsettled what your phone has on you
From highly personal contacts, names you’ve typed into iMessage, addresses, browsing history, app usage, file contents
I’d even loaded the entire text of Dickens’ David Copperfield into Codea recently to test editing performance. Names and places from the story were indexed
This was from a Shortcut that was disguised to look like a memory cleaner. But it really zipped the above data, uploaded it, then sent the link via iMessage to an attacker. The details were obfuscated in the shortcut through base64 encoding
You couldn’t expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link to this shortcut
With automatic scheduling of shortcuts you could possibly trick someone into running a key logger
I’ve disclosed all the details to Apple and hope that they fix it, but the more Shortcuts becomes mainstream, the more people need to be aware of how they can be powerfully misused