Researcher testing Apple CloudKit accidentally took Shortcuts completely down

Credit: AppleInsider

Frans Rosen, a bug bounty hunter for security firm Detectify, on Monday revealed that he had accidentally broke Shortcut sharing links while probing a misconfiguration in Apple's CloudKit system.

Earlier in 2021, Rosen said he was examining the security of Apple's services — and specifically CloudKit. Since many of Apple's own apps stored information in CloudKit databases, he was curious whether or not any specific app data could be modified by getting access to a public CloudKit container.

While investigating permissions in the CloudKit containers, he found several vulnerabilities related to iCrowd+, Apple News, and Shortcuts. At one point, he was able to delete a default zone without the proper permissions because of an Apple misconfiguration. That simple move, essentially, broke Shortcuts.

"All of them were gone. I now realized that the deletion did somehow work, but that the _defaultZone never disappeared," the researcher wrote. "When I tried sharing a new shortcut, it also did not work, at least not to begin with, most likely due to the record types also being deleted."

Rosen said he immediately reached out to Apple's security team, who told him to stop testing the system. The team then worked to resolve the issue, restoring Shortcuts and patching the problem by removing the options to delete or create public zones.

According to Rosen, the vulnerabilities did not allow him to access any private or user information. He was awarded a $28,000 bounty for his discovery by Apple's security team.

"Approaching CloudKit for bugs turned out to be a lot of fun, a bit scary, and a really good example of what a real deep-dive into one technology can result in when hunting bugs," Rosen said. "The Apple Security team was incredibly helpful and professional throughout the process of reporting these issues."