CloudKit Bug: How Security Researcher Accidentally Broke Apple Shortcuts

CloudKit Bug: How a Security Researcher Accidentally Broke Apple Shortcuts
Detectify co-founder Frans Rosén looked for bugs in Apple's CloudKit system and discovered three significant security bugs. If you experienced problems with your Shortcuts back in March, the CloudKit bug may have been the reason. Dimitri Karastelev/Unsplash

A security researcher revealed in a post that he accidentally took down Apple Shortcuts earlier this year. Trying to dig a little deeper when he found a CloudKit bug, he unintentionally deleted Shortcuts and broke it. All the bugs have been reported since then and have been fixed.

Apple CloudKit Bug Hunt Leads to Series of Security Gaps

Bug bounty hunter Frans Rosén and co-founder of the security firm Detectify revealed in a post that he had accidentally taken down Shortcut sharing links while going about hunting for misconfigurations in Apple's CloudKit system, Apple Insider reported.

CloudKit is Apple's own technology for their apps' database, similar to Google's Firebase, Detectify explained. There are containers in CloudKit that prevent different apps from affecting each other even if they "live" on the same platform. The organization system ensures that data does not get entangled with other apps, and there are specialized zones and databases to easily separate app information by access type or function, said PC Mag.

Rosén started his hunt for security flaws in the CloudKit framework in mid-February and started tinkering with the containers and access to Private, Shared, and Public scopes. Soon he realized that the different authentication flows and security roles were rather complex. He wondered if internal Apple teams found this challenging as well and if that left any gap in their system.

Three days into searching for bugs, he found his way to access iCrowd+ by messing with the containers. He realized that he could modify the data of the website.

He promptly reported the issue to Apple on February 17. Apple fixed the issue by February 25, removing the usage of CloudKit from the website and sealing up the permissions.

After realizing that there could be more bugs related to permissions in the Public scope, Rosén set forth to check the other apps.

Proceeding to check on the Apple News app and after two days of figuring out how to modify the permissions, he deleted any channel or article with a few modifications in the container. The misconfiguration was reported to Apple on March 17, and by March 19, Apple fixed the permissions to deny access to anyone who would attempt to delete any channel or article moving forward.

CloudKit Bug Completely Shuts Down Shortcuts

Shortcuts was another Apple app that used the Public scope of ClouKit, Rosén said. The app allowed users to share shortcuts with other people using iCloud links.

Soon enough, he figured out that he could modify and even delete other users' shortcuts, which is not a great thing. While snooping around, he also tested the default zones. He was able to add new zones, and in an attempt to delete his own container using a different user, he discovered that it was not possible to delete any container's default zone. Rosén tried other methods just to see if it would work, and unfortunately, it did.

All of the shared shortcuts were gone even though the default zone never disappeared.

That was how, on March 23, users found that their links to a public Shortcut were not working. Rosén, in a panic, wrote to Apple Security, both acknowledging the severity of the situation and explaining the steps he took to prevent any service interruption. After a rather short email politely asking Rosén to stop with his tests, Apple got on to fixing the problem. Unfortunately, people on Twitter were quick to voice their problems with the Shortcuts issue.

The issue was resolved after two days, said PC Mag.

Because of the discovery of the bugs, the Apple Security Bounty program awarded the firm $12,000 for the discovery of the iCrowd+ bug, $24,000 for the Apple News bug, and $28,000 for the discovery of the Shortcuts problem, a total of $64,000 for the whole ordeal.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics