The Apple iOS and macOS vulnerability known as CVE-2024-23204 enables the creation of a malicious shortcut file capable of bypassing Apple’s Transparency, Consent, and Control (TCC) security framework. This framework is designed to ensure that apps explicitly ask users for permission before accessing certain data or functionalities.

The bug poses a risk to macOS and iOS devices running versions prior to;

• macOS Sonoma 14.3
• iOS 17.3
• iPadOS 17.3

It has been rated 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS) due to its potential for remote exploitation without needing any privileges.

This means that if a user adds a malicious shortcut to their library, it can covertly steal sensitive data and system information without requiring user permission.

The vulnerability may allow the attacker direct access to confidential information or critical systems and compromise the system.

An attacker could use a Flask program to capture the transmitting data to collect the sensitive information for future exploitation.

It is highly recommended for users to apply updates to the latest version of the apple Shortcut Software.