Friday, January 25, 2019

Malicious Shortcuts


I’ve just been made aware (by @AvimanyuRoy3) that it is trivially easy to steal highly sensitive & personal information from an iPhone via Shortcuts

Just browsing through the malicious Shortcut is mind blowing

You’ll be unsettled what your phone has on you

From highly personal contacts, names you’ve typed into iMessage, addresses, browsing history, app usage, file contents

I’d even loaded the entire text of Dickens’ David Copperfield into Codea recently to test editing performance. Names and places from the story were indexed

This was from a Shortcut that was disguised to look like a memory cleaner. But it really zipped the above data, uploaded it, then sent the link via iMessage to an attacker. The details were obfuscated in the shortcut through base64 encoding

You couldn’t expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link to this shortcut

With automatic scheduling of shortcuts you could possibly trick someone into running a key logger

I’ve disclosed all the details to Apple and hope that they fix it, but the more Shortcuts becomes mainstream, the more people need to be aware of how they can be powerfully misused

Comments RSS · Twitter

Leave a Comment