Skip to main content

Exploit found in CloudKit let developer delete other users’ Shortcuts

CloudKit is an Apple framework integrated into iOS and macOS that works as a backend for apps. Developer Frans Rosén has found a way to use Apple’s cloud platform to delete public Siri Shortcuts and even content from other Apple apps such as Apple News.

Rosén began searching for exploits on Apple’s platforms in February of this year. He started checking the traffic of all Apple apps and studying CloudKit in depth. While you always need credentials to read and write private content, the developer found out that public content shared in iCloud can be accessed by anyone with public tokens.

By checking the connections of Apple’s apps with the CloudKit API, Rosén was able to get a valid token to access public content from iCloud. Of course, the actual process was far more complex than it sounds, but the result could be disastrous for Apple if this exploit fell into the wrong hands.

I spent way too much time on this, almost two days straight, but as soon as I found methods I could use, modification of records in the Public scope still needed authorization for my user, and I was never able to figure out how to generate a X-CloudKit-AuthToken for the proper scope, since I was mainly interested in the Private scope.

After multiple commands, the developer was able to delete the links to all public Apple News articles.

Site default logo image

Using a similar method, he was also able to break all public links to Siri Shortcuts shared by users. Apple confirmed this on March 25 without saying that it was a security exploit.

Rosén reached out to the Apple Security team, which later fixed the security breach.

Approaching CloudKit for bugs turned out to be a lot of fun, a bit scary, and a really good example of what a real deep-dive into one technology can result in when hunting bugs. The Apple Security team was incredibly helpful and professional throughout the process of reporting these issues.

If you want to read more in-depth details about the exploit, the developer shared how the attack was done on the Detectify blog.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Filipe Espósito Filipe Espósito

Filipe Espósito is a Brazilian tech Journalist who started covering Apple news on iHelp BR with some exclusive scoops — including the reveal of the new Apple Watch Series 5 models in titanium and ceramic. He joined 9to5Mac to share even more tech news around the world.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications