A security researcher revealed in a post that he accidentally took down Apple Shortcuts earlier this year. Trying to dig a little deeper when he found a CloudKit bug, he unintentionally deleted Shortcuts and broke it. All the bugs have been reported since then and have been fixed.
Apple CloudKit Bug Hunt Leads to Series of Security Gaps
Bug bounty hunter Frans Rosén and co-founder of the security firm Detectify revealed in a post that he had accidentally taken down Shortcut sharing links while going about hunting for misconfigurations in Apple's CloudKit system, Apple Insider reported.
CloudKit is Apple's own technology for their apps' database, similar to Google's Firebase, Detectify explained. There are containers in CloudKit that prevent different apps from affecting each other even if they "live" on the same platform. The organization system ensures that data does not get entangled with other apps, and there are specialized zones and databases to easily separate app information by access type or function, said PC Mag.
I found some permission issues when hacking Apple CloudKit. I wrote about three of them @detectify labs, one where I accidentally deleted all shared Apple Shortcuts.https://t.co/bwNOLJIeIo pic.twitter.com/0YnX7T8KrW— Frans Rosén (@fransrosen) September 13, 2021
Rosén started his hunt for security flaws in the CloudKit framework in mid-February and started tinkering with the containers and access to Private, Shared, and Public scopes. Soon he realized that the different authentication flows and security roles were rather complex. He wondered if internal Apple teams found this challenging as well and if that left any gap in their system.
Three days into searching for bugs, he found his way to access iCrowd+ by messing with the containers. He realized that he could modify the data of the website.
He promptly reported the issue to Apple on February 17. Apple fixed the issue by February 25, removing the usage of CloudKit from the website and sealing up the permissions.
After realizing that there could be more bugs related to permissions in the Public scope, Rosén set forth to check the other apps.
Proceeding to check on the Apple News app and after two days of figuring out how to modify the permissions, he deleted any channel or article with a few modifications in the container. The misconfiguration was reported to Apple on March 17, and by March 19, Apple fixed the permissions to deny access to anyone who would attempt to delete any channel or article moving forward.
Okay, WTF.— Federico Viticci (@viticci) March 24, 2021
The entire @macstoriesnet Shortcuts Archive has broken links right now. None of the links to my hundreds of shortcuts are working anymore.
I *seriously* hope Apple has a quick fix for this. https://t.co/MGwB1bRhHD https://t.co/5BMhhbdoqC pic.twitter.com/fbbxuHzW2V
CloudKit Bug Completely Shuts Down Shortcuts
Shortcuts was another Apple app that used the Public scope of ClouKit, Rosén said. The app allowed users to share shortcuts with other people using iCloud links.
Soon enough, he figured out that he could modify and even delete other users' shortcuts, which is not a great thing. While snooping around, he also tested the default zones. He was able to add new zones, and in an attempt to delete his own container using a different user, he discovered that it was not possible to delete any container's default zone. Rosén tried other methods just to see if it would work, and unfortunately, it did.
All of the shared shortcuts were gone even though the default zone never disappeared.
That was how, on March 23, users found that their links to a public Shortcut were not working. Rosén, in a panic, wrote to Apple Security, both acknowledging the severity of the situation and explaining the steps he took to prevent any service interruption. After a rather short email politely asking Rosén to stop with his tests, Apple got on to fixing the problem. Unfortunately, people on Twitter were quick to voice their problems with the Shortcuts issue.
The issue was resolved after two days, said PC Mag.
Apple has begun restoring links to old shortcuts. Some links in the @macstoriesnet Shortcuts Archive are still broken, but a lot of them are active again.https://t.co/MGwB1bRhHD pic.twitter.com/CGp9VsIBkW— Federico Viticci (@viticci) March 25, 2021
Because of the discovery of the bugs, the Apple Security Bounty program awarded the firm $12,000 for the discovery of the iCrowd+ bug, $24,000 for the Apple News bug, and $28,000 for the discovery of the Shortcuts problem, a total of $64,000 for the whole ordeal.