exploit found in cloudkit

Exploit Found In Cloudkit Lets Developer Delete Other User’s Shortcuts

Reading Time: 2 minutes

Last Updated on September 15, 2021 by Calvin C.

Frans Rosén, a security advisor at Detectify, found a way to delete public Siri shortcuts using an exploit found in Cloudkit. In addition, this also allowed him to delete content from other Apple apps e.g. Apple News.

Cloudkit is an Apple framework integrated into iOS and macOS. It works as a backend for apps, acting as an interface for moving data between your apps and your iCloud containers.

It stores your app’s existing data in the cloud to allow users to access it on multiple devices.

This project started off in mid-February 2021 as Frans Rosén looked for exploits on Apple’s platforms, scrutinizing traffic from all apps and details of Cloudkit.

He discovered that public content shared on iCloud is accessible to anyone with public tokens, which is dangerous if the exploit is in the wrong hands.

This is in contrast to the strict requirement of credentials in-order to read and write private content.

To put it simply, he managed to get a valid token access to public content by checking connections to Apple’s apps with the CloudKit API.

Rosén wrote on Detectify blog:

“I spent way too much time on this, almost two days straight, but as soon as I found methods I could use, modification of records in the Public scope still needed authorization for my user, and I was never able to figure out how to generate a X-CloudKit-AuthToken for the proper scope, since I was mainly interested in the Private scope.”

Eventually, he was able to delete links to all Apple News articles and with the same process, he also managed to break links to Siri Shortcuts, something that Apple users noticed in March 2021. During that period, Apple reassured users:

“We are aware of an issue where previously shared shortcuts are currently unavailable. Newly shared shortcuts are available, and we are working to restore previously shared shortcuts as quickly as possible.”

Rosén informed Apple about the security gap and the issue was resolved under the Apple Security bounty project. You can read more about the whole process on Detectify blog.

In another article, tech giant Google identified 2 zero-day flaws in Chrome browser and users are urged to make sure their browser is up-to-date.

For more cybersecurity news and updates or VPN tips, subscribe to receive our newsletter. You get a notification of every new post in your inbox.

If you want maximum privacy when online, check out the best VPNs that I recommend.

Tech writer and VPN expert. DIY enthusiast and loves anything to do with space science.

Leave a Reply

Your email address will not be published. Required fields are marked *