{"id":24083,"date":"2019-01-25T16:03:17","date_gmt":"2019-01-25T21:03:17","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=24083"},"modified":"2019-01-25T16:03:17","modified_gmt":"2019-01-25T21:03:17","slug":"malicious-shortcuts","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/01\/25\/malicious-shortcuts\/","title":{"rendered":"Malicious Shortcuts"},"content":{"rendered":"<p><a href=\"https:\/\/twitter.com\/twolivesleft\/status\/1088080307457159169\">Simeon<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/twolivesleft\/status\/1088080307457159169\"><p>I&rsquo;ve just been made aware (by @AvimanyuRoy3) that it is trivially easy to steal highly sensitive &amp; personal information from an iPhone via Shortcuts<\/p><p>Just browsing through the malicious Shortcut is mind blowing<\/p><p>You&rsquo;ll be unsettled what your phone has on you<\/p><p>From highly personal contacts, names you&rsquo;ve typed into iMessage, addresses, browsing history, app usage, file contents<\/p><p>I&rsquo;d even loaded the entire text of Dickens&rsquo; David Copperfield into Codea recently to test editing performance. Names and places from the story were indexed<\/p><p>This was from a Shortcut that was disguised to look like a memory cleaner. But it really zipped the above data, uploaded it, then sent the link via iMessage to an attacker. The details were obfuscated in the shortcut through base64 encoding<\/p><p>You couldn&rsquo;t expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link to this shortcut<\/p><p>With <a href=\"https:\/\/tow.com\/shortcuts\/cronios\/\">automatic scheduling of shortcuts<\/a> you could possibly trick someone into running a key logger<\/p><p>I&rsquo;ve disclosed all the details to Apple and hope that they fix it, but the more Shortcuts becomes mainstream, the more people need to be aware of how they can be powerfully misused<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Simeon: I&rsquo;ve just been made aware (by @AvimanyuRoy3) that it is trivially easy to steal highly sensitive &amp; personal information from an iPhone via ShortcutsJust browsing through the malicious Shortcut is mind blowingYou&rsquo;ll be unsettled what your phone has on youFrom highly personal contacts, names you&rsquo;ve typed into iMessage, addresses, browsing history, app usage, file [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-01-25T21:03:19Z","apple_news_api_id":"a323e3f6-1b34-42c0-b52e-11dab8e9bfb2","apple_news_api_modified_at":"2019-01-25T21:03:20Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AoyPj9hs0QsC1LhHauOm_sg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[31,1610,504,355,1686],"class_list":["post-24083","post","type-post","status-publish","format-standard","hentry","category-technology","tag-ios","tag-ios-12","tag-malware","tag-privacy","tag-shortcuts"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24083","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=24083"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24083\/revisions"}],"predecessor-version":[{"id":24084,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/24083\/revisions\/24084"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=24083"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=24083"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=24083"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}