Security researchers triggered deletion of Apple’s shortcuts | #ios | #apple | #iossecurity | #education | #technology | #infosec

Last spring, an apparent bug in Apple’s iOS shortcuts app made countless shared shortcuts temporarily inaccessible. Only the error message appeared that the respective shortcut was “not found”. As has now become known, the failure was not a hosting problem or a bug with Apple itself. Instead, the shortcuts deleted came from a security researcher who had apparently made a mistake while experimenting.

Rights problems when hacking around

Like the IT security specialist Frans Rosen admitted on Twitter last week, last spring he worked for the security laboratory Detectify Labs on possible security gaps in the context of Apple’s CloudKit interface. “I found some rights issues when I did [da] hacked (…) with one of them, I accidentally deleted Apple’s shared shortcuts. “In his more detailed explanations Rosen wrote that the matter had a “happy ending”. The security researcher reported the bug to Apple and explained how it came about. He had “taken extra steps to avoid service interruptions”.

Despite the fact that his actions had violated Apple’s bug bounty program – in which one must not cause harm – the company was apparently not upset after Rosen explained. He had succeeded in creating zones and deleting them as well. However, the researcher would have to use “less destructive means” if he wanted to investigate CloudKit further, Apple said in an email. For the three problems that Rosen discovered, he finally received money: 12,000, 24,000 and 28,000 US dollars, for a total of 64,000 dollars for his work.

Apple News and iCrowd + also affected

The bugs in CloudKit, Apple’s data storage framework for its operating systems, were quite significant. As it turned out, the access rights could be misconfigured, which Apple itself apparently did. This also affected the Group’s own apps that use CloudKit. Rosen discovered related problems in the Apple News application and in the Siri improvement app iCrowd +, which Apple only gives to certain user groups. Apple has now filled all the gaps.

(bsc)