Apple shortcuts are broken – here’s why
Back on March 23, every link to Apple shortcuts experienced an accidental downtime. Whereas, Apple’s automation tool suddenly broke and took two days to resolve the mishap. What transpired during that downtime is that users start reporting error messages when they try to access shared shortcuts.
According to 9to5Mac, this unusual issue was a concern of content creators who usually share shortcuts to their followers via iCloud. Concerning this, the real reason is; Detectify Co-Founder Frans Rosen had accidentally deleted the Shortcuts.
As Rosen noted, he began searching for security defects in the framework of Apple Cloudkit. With several misconfiguration flaws he found, he was able to modify the information stored in iCloud databases and “delete any channel or article, including stock entries, in the storage com.apple.news.public being used for the Stock and Apple News iOS-apps.”
I found some permission issues when hacking Apple CloudKit. I wrote about three of them @detectify labs, one where I accidentally deleted all shared Apple Shortcuts.https://t.co/bwNOLJIeIo pic.twitter.com/0YnX7T8KrWFEATURED STORIES
— Frans Rosén (@fransrosen) September 13, 2021
Rosen also said that he was ”curious” to check if any specific data can be modified with the accessibility to public Cloudkit containers. He discovered that connect to Cloudkit with various APIs. The researcher said that there are three scopes in the containers – Public (anyone can access), Private (you’re the only one who has access), Shared (can be shared between users).
What prompted the misconfiguration
Detectify said that the issue found in Apple shortcuts “caused all Shortcut sharing links to break, and it was quickly noticed amongst Apple users, media reporters, and especially Shortcuts fans”.
According to Rosen, he had tried various ways to delete public zones before. However, it was always denied. But while working in the Apple Shortcuts database, he found he can create zones. He also received an “OK” message while attempting to delete a default zone.
In a nutshell, Apple shortcuts misconfiguration is the culprit. Rosen shared. “I now realized that the deletion did somehow work, but that the _defaultZone never disappeared. When I tried sharing a new shortcut, it also didn’t work, at least not to begin with, most likely due to the deleted record types .”
When it came at this point, Rosen immediately contacted Apple’s security team. Apple asked him to stop immediately. Then, Apple’s Security team started to fix the issue by restoring Apple Shortcuts’ functionalities. They also resolved the problem by refining security controls and panels. Apple team also removed the options of creating and deleting public zones.
While this incident has Rosen panicking, he received a bug bounty worth $28,000 for his discovery. This causes unintentional downtime for Apple users.
Rosen also earned bounties of $24,000 and $12,000 with the other vulnerabilities in Apple News and iCrowd.
An Apple spokesperson said, “We would like to thank this researcher for working side by side with us to keep our users and their data safe. He immediately reported his actions so that we were able to quickly fix the issues documented and restore functionality after the researcher unintentionally disrupted the ability to use iCloud sharing links for Apple shortcuts.”