Aside from fixing the group FaceTime eavesdropping bug on iPhone, iPad and Mac with the iOS 12.1.4 software update and the macOS Mojave 10.14.3 Supplemental Update, Apple has also resolved a major security issue with the Shortcuts app.
As we reported last week, Apple’s Shortcuts app for iOS automation is plagued with a major oversight which lets an attacker create and distribute a malicious shortcut that collects contacts, addresses, files and other user data and sends a ZIP file via iMessage to an attacker in the background.
Although App Store’s release notes accompanying today’s Shortcuts 2.1.3 update mention only unspecified bug fixes and improvements, a support document on Apple’s website offers detailed information about the security content of the update.
The first bug enabled a local user to view sensitive user information due to a parsing issue in the handling of directory paths that was addressed with improved path validation.
The other flaw, which circumvented Apple’s sandbox restrictions, was fixed as well. The security document credits Avimanyu Roy for reporting these issues.
“We would like to acknowledge Sem Voigtländer of Fontys Hogeschool ICT for their assistance,” the document reads.