Don't take any ‘shortcuts' – Positive Technologies find critical vulnerability in macOS application
PT SWARM expert Egor Filatov found a critical vulnerability in Shortcuts, a built-in macOS app that streamlines device management by automating repetitive user actions. If successfully exploited, the security flaw could allow an attacker to gain full control over the device, including the ability to read, edit, and delete any data.
If the compromised device happens to be a laptop connected to a corporate network, the attacker could also infiltrate the internal company infrastructure.
The vulnerability, tracked as BDU:2025-02497 and rated 8.6 out of 10 on the CVSS 3.0 scale, affects Shortcuts 7.0 (2607.1.3). The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch.
Users are advised to upgrade to macOS Sequoia 15.5 or later. If updating the OS is currently not possible, Positive Technologies recommends users to pay close attention to the downloaded shortcuts before running them or avoid using them altogether.
The Shortcuts app was introduced with macOS Monterey back in 2021 and has been supported in macOS Ventura, Sonoma, and Sequoia versions over the past four years.
With the app, users can create shortcuts to automate various tasks, such as starting a timer, playing music, or converting text to audio. Users also have access to macros[1] that provide ready-made shortcuts. A threat actor could leverage this functionality by uploading infected templates to the library. For the security flaw to be exploited, it would be enough for the victim to inadvertently run a malicious macro on their device.
'An attacker could exploit this vulnerability to target any Shortcuts user,' said Egor Filatov, Junior Mobile Application Security Researcher at Positive Technologies. 'Before remediation, the vulnerability allowed an attacker to bypass macOS security mechanisms and execute arbitrary code on the victim's system.'
According to the expert, the potential consequences of successful attacks include the following:
Theft of confidential data or deletion of valuable information
Malware execution
Installation of backdoors[2] aimed at maintaining access to the system even after vulnerability patching
Ransomware[3] infection
Disruption to the organization's business processes (if a corporate device is compromised)
Positive Technologies experts have been studying Apple products for over a decade. In 2018, Maxim Goryachy and Mark Ermolov, while looking for security flaws in Intel Management Engine, found a firmware vulnerability (CVE-2018-4251) affecting personal computers made by Apple and other manufacturers.
In 2017, Timur Yunusov warned the community about multiple security gaps he discovered in Apple Pay: by exploiting the vulnerabilities, attackers could compromise users' bank cards and make unauthorized payments on external resources.
Before that, another Positive Technologies researcher found and helped eliminate a critical vulnerability in the apple.com website, which could allow an adversary to conduct a directory traversal attack and gain access to private data.
In addition to the macOS version of Shortcuts, there is also an iOS version of the app for mobile devices. To prevent threat actors from infiltrating the corporate network via vulnerable mobile apps, companies should protect their apps against reverse engineering. This can be done with solutions such as PT MAZE, which turns the application into an impenetrable maze, making attacks too resource-intensive for adversaries.
[1] A macro is a pre-programmed sequence of actions defined by the user.
[2] A backdoor is a type of malware that allows unauthorized access to data or enables remote control of the compromised system. Typically, an attacker installs a backdoor on a target system for future access.
[3] Ransomware is a type of malware that encrypts a victim's files or locks them out of their computer system, giving the attacker control over any personal information stored on the compromised device. The attacker can then demand a ransom, threatening to leave the files or system inaccessible to the victim or to disclose confidential data if the ransom is not paid.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Crypto Insight
5 hours ago
- Crypto Insight
Trump's World Liberty Financial signs partnership deal with London hedge fund
World Liberty Financial (WLFI), a crypto platform tied to US President Donald Trump's family, has partnered with London hedge fund Re7 to launch a USD1 stablecoin vault across Euler Finance and liquid staking protocol Lista. The partnership is part of a broader effort to expand the presence of World Liberty's USD1 stablecoin on the BNB Chain, according to Bloomberg. Lista is one of the major liquid staking platforms for the BNB token, and its decentralized autonomous organization (DAO), which governs the platform, is backed by Binance Labs — the venture capital arm of crypto exchange Binance. Binance Labs invested $10 million in Lista in August 2023. At the time, Lista was known as Helio Protocol and the capital was meant to aid the platform's transition to a liquid staking provider. WLFI continues to receive backing from institutional investors as US dollar stablecoins and real-world asset tokenization — the two sectors the DeFi platform is focused on — become strategically important to increasing the salability of the US dollar, a major priority of the Trump administration. WLFI attracts institutional capital In April, crypto market maker DWF Labs purchased $25 million in WLFI tokens, the governance token of the WLFI platform. The market maker will also provide liquidity for the USD1 stablecoin as part of the investment deal. Aqua1 Foundation, a digital asset fund, announced a $100 million investment in the Trump-affiliated DeFi platform, citing WLFI's focus on stablecoins and real-world asset tokenization as major use cases that would restructure global finance. Trump reported $57 million in income from WLFI to the US Office of Government Ethics in a June 13 disclosure filing, the bulk of which appears to have come from token sales. Despite the investment deals and windfall income, the Trump family reduced its stake in WLFI by 20% since 2024. Source:
Zawya
6 hours ago
- Zawya
ONVIF and the C2PA announce collaboration to strengthen trust in digital video
ONVIF®, the leading global standardization initiative for IP-based physical security products, has announced that it has entered into a strategic collaboration with the Coalition for Content Provenance and Authenticity (C2PA) to preserve the integrity and authenticity of digital video in the evolving fight against content manipulation. The two groups will work together to raise awareness and promote the adoption of open standards that help verify the authenticity of video content across digital video platforms. This initiative aligns the ONVIF video authentication specification with Content Credentials, the open standard published by the C2PA, which is comprised of Microsoft, Adobe, Google, Meta, BBC, and Truepic. Content Credentials enhances transparency and establishes end-to-end confidence in the authenticity of digital assets. This collaboration comes at a time when synthetic media, deepfakes, and AI-generated content are becoming increasingly indistinguishable from authentic footage. The tools that create this fake content pose a significant risk to public trust in video used for law enforcement, corporate security, and legal proceedings as well as in a wide range of digital media products. 'We are happy to welcome ONVIF as a liaison member to the C2PA,' said Andrew Jenks, Executive Chair of the C2PA. 'As the global standard for provenance, Content Credentials plays a vital role in providing transparency in digital media. The collaboration with ONVIF and the C2PA brings Content Credentials to video security – an environment where footage must reflect reality without alteration. We're excited about our work together and the impact of our global, open standards.' The video authentication specification developed by ONVIF, known as media signing, ensures that video footage is cryptographically signed at the point of capture with a digital key specific to the individual surveillance camera. The signatures are embedded in the video, enabling an authentication tool to verify whether video frames – throughout the chain of custody – have been modified or manipulated since they left the camera. This is critical for video used in court proceedings, law enforcement investigations, and corporate security incidents, where any doubts about the validity of video evidence can undermine outcomes and erode institutional trust. The C2PA's core specification, Content Credentials, is a technical standard that allows publishers, creators, and consumers to trace the lifecycle of media, beginning from production (such as which camera captured an image, whether it was edited, and when) to consumption (displaying this information on the website or platform where the content appears). Content Credentials embed cryptographically signed, tamper-evident metadata directly into images, video, audio, and documents or stored in a manifest that travels with the content, making any alteration detectable. This metadata acts like a digital 'nutrition label,' detailing the content's origin, history, and any modifications made. 'Preserving the authenticity of video has never been more important as the threats from generative AI and other means of content manipulation continue to increase exponentially, regardless of industry and use case,' said Leo Levit, Chairman, Steering Committee, ONVIF. 'The work of ONVIF to preserve video integrity and the recognition by the C2PA will help build user confidence that recorded video can be verified as genuine and untampered.' ONVIF is a leading and well-recognized industry forum driving interoperability for IP-based physical security products, with a global member base of established camera, video management system and access control companies and nearly 34,000 profile conformant products. ONVIF offers Profile S for streaming video; Profile G for video recording and storage; Profile C for physical access control; Profile A for broader access control configuration; Profile T for advanced video streaming; Profile M for metadata and events for analytics applications and Profile D for access control peripherals. ONVIF continues to work with its members to expand the number of IP interoperability solutions ONVIF conformant products can provide. Further information about ONVIF conformant products, including member companies and their conformant models, is available on the ONVIF website:
The National
8 hours ago
- The National
Digital legacy: When you die, who's going to tell the internet?
After her husband Alan's death, Gina Seymour found dealing with all his online accounts and virtual paperwork was 'pretty close to a nightmare'. Alan died in 2018, aged 57, after suffering a brain haemorrhage that meant he had been unable to prepare for what would happen to his online life. 'It was a struggle because you don't realise or you forget how many accounts there are,' says Mrs Seymour, an author who works as a school librarian in Long Island, New York. 'Most of them are used every day, like your Gmail, and others only come up once in a while, or once a year, or you don't use [them] as frequently. 'Just when you think you're done, you're actually not. You missed one. It's stressful, to say the least.' Mrs Seymour's experience highlights the issue of 'digital legacy', the way in which almost everyone today has an online presence – and it often cannot simply be forgotten after their death. Many of us have digital accounts for, at least, banking, investments, shopping, tax and messaging. Pass on your password According to password management company NordPass, the average person has 168 passwords, of which 87 are for business-related online accounts. That creates significant challenges for someone dealing with a loved one's digital legacy, especially if that person did not leave behind account details and passwords. 'So many things in our lives have shifted online or have online components. The biggest problem is logistical headaches,' says Dr Jed Brubaker, an associate professor of information science at the University of Colorado Boulder. 'We have so many things that are new, that don't have pre-digital analogues. Maybe your partner was the person who managed your monthly mortgage payment and it went to their email, and all of a sudden you no longer have access to their email. You can think of all of the standard things that now have this additional digital layer.' While these practical issues are important – and very taxing for surviving relatives dealing with them – a person's digital legacy also encompasses things of great sentimental value, notably photographs and videos. Items that were traditionally passed down, such as photo albums, now often exist only in a mobile phone or in the cloud in remote servers, and may be beyond the reach of relatives who do not have access credentials. Dr Brubaker, who manages a free digital legacy clinic run by students, says photos are what bereaved relatives care about the most, although videos are becoming increasingly important. 'In end-of-life plans we're ensuring that people have set them up such that their loved ones can gain access to what is effectively the modern-day scrapbook,' he says. If the bereaved cannot view or download a relative's pictures it can cause what James Norris, founder of the UK-based Digital Legacy Association, describes as a second loss. 'After you have lost someone, you can have a feeling of losing something else from that person,' he says. Major internet companies, such as Apple, Facebok owner Meta and Google, typically have a legacy contact feature, enabling users to designate an individual to deal with their online presence after their death. 'If you have set up plans in advance you have access to download the photos and save them locally,' Mr Norris says. The association recommends that individuals and health and social care providers consider digital assets during end-of-life planning. 'We're based in a hospice provider,' he says. 'Often the conversation we have with patients is: 'Have you got a password on your mobile phone?' They would say yes. 'If they haven't told anyone their password, their digital legacy planning is simply telling their son or partner or grandchild their password so they can access their photos. 'The main thing is for each person to think about each of their online accounts and make suitable plans based on the content and the relationship with loved ones.' Curate your digital legacy People wanting to curate their digital legacy can turn to numerous specialist sites. Among them is Inalife, set up by Nicholas Worley, a British communications professional in Hong Kong. Mr Worley, the father of three young sons, was partly inspired to set up the site, which went live in 2023, by the experience of becoming a parent. 'I thought it would be quite nice if they could have memories of when they were younger – their first swimming lesson, their first steps, all those sorts of things,' he says. Some of his father's family's photos in the UK were destroyed during the Second World War, which has highlighted to Mr Worley the risks of having only a single hard copy of an image. 'It's easier to save things digitally and to have that as a back-up. I wanted to save things across generations, and technology helps you do that,' he says. 'Most people tend not to think about it unless they're older or facing an illness. It's the same with most legacy planning. Giving more attention to it is important.' Users can create sub-profiles for relatives and sub-accounts for children, to whom ownership can be transferred at a particular time, such as when they turn 18. When it comes to public sites such as Facebook, X (formerly Twitter) and LinkedIn, people might want to consider how much of what they have uploaded they would like to remain on view after their death. Some people may prefer accounts to be deleted. 'Everything that we put online, it stays there, unless a company goes bankrupt or the site has a plan in place. There's a lot of our lives out there online,' says Dr Heather Moorefield-Lang, an associate professor of information, library and research sciences at the University of North Carolina Greensboro. 'You have to make your choices as to what you might want people to shut down for you. Are you fine just leaving it out there?' Dr Moorefield-Lang says many people are uncomfortable talking about death, dying and what will happen afterwards, but trying to sort things out after someone has died is no easier. 'Planning and communication takes care of a whole lot of issues later, if your kids and your friends aren't sure what you want,' she says. 'You want to take as much off their shoulders as possible, even if it's just sitting down and talking about it. It costs nothing but time.' After the difficulties of dealing with her late husband's digital legacy, Mrs Seymour has made sure that things will be easier for her children when she dies. She has written details of her online accounts and passwords in a book. 'I know the first rule of internet safety is 'don't write your passwords down',' she says. 'But you have got to write that stuff down. It's in a book, it's all there. The only people who know where it is are my children.'
