CVE-2024-23204 is a vulnerability in Apple iOS and iPadOS that allows a shortcut to access sensitive data without prompting the user for permission. Shortcuts are automated workflows that users can create or download to perform tasks on their devices. Normally, when a shortcut attempts to access sensitive data, iOS and iPadOS prompt the user to grant permission, ensuring user consent and preventing unauthorized access. However, due to insufficient permission checks in affected versions, a malicious or crafted shortcut can bypass these prompts and access sensitive data silently. This flaw affects iOS and iPadOS versions prior to 17.3, as Apple addressed the issue by implementing additional permission checks in iOS 17.3 and iPadOS 17.3, as well as macOS Sonoma 14.3 and watchOS 10.3. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). This means an attacker can exploit the vulnerability remotely without any authentication or user interaction to access sensitive data, potentially leading to data leakage. There are currently no known exploits in the wild. The vulnerability is particularly concerning because it undermines the security model of user consent for data access on Apple devices, potentially exposing personal or corporate sensitive information to malicious shortcuts.

For European organizations, this vulnerability poses a significant risk to data confidentiality on Apple mobile devices. Many enterprises and government agencies in Europe rely on iOS and iPadOS devices for communication, productivity, and sensitive operations. An attacker exploiting this flaw could silently extract sensitive data such as contacts, location, messages, or corporate credentials without user knowledge, leading to data breaches, loss of privacy, and potential regulatory non-compliance under GDPR. The lack of user interaction or authentication required for exploitation increases the attack surface, especially in environments where users install shortcuts from untrusted sources or where device management policies are lax. This could impact sectors including finance, healthcare, government, and critical infrastructure where sensitive data protection is paramount. Additionally, the vulnerability could be leveraged in targeted attacks or espionage campaigns against high-value European targets using Apple devices. Although no exploits are currently known in the wild, the ease of exploitation and high confidentiality impact necessitate urgent attention.

European organizations should immediately prioritize updating all affected Apple devices to iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3 or later to apply the security fixes. Beyond patching, organizations should audit and restrict the use of shortcuts, especially those obtained from untrusted sources, by implementing mobile device management (MDM) policies that control shortcut installation and execution. User training should emphasize the risks of installing shortcuts from unknown developers. Additionally, monitoring device logs for unusual shortcut activity can help detect exploitation attempts. Organizations should enforce strict app and shortcut permission policies and consider disabling shortcuts entirely on devices handling highly sensitive data if feasible. Regular security assessments and penetration testing focusing on shortcut-related attack vectors can further reduce risk. Finally, integrating endpoint detection and response (EDR) solutions capable of monitoring iOS/iPadOS behaviors may provide early warning of exploitation attempts.