Watch out! Siri Shortcuts on iOS can steal confidential data
What's the story
With the launch of iOS 12 last year, Apple introduced Siri Shortcuts as a cool new way to automate complex tasks. The company offered its own pre-designed set of Shortcuts and even gave users an option to create/share custom shortcuts for different tasks. But, as it turns out, the same flexibility from the Cupertino giant opens gates for stealing data from iPhones. Here's how.
Issue
How Shortcuts can be used to steal data?
Simeon Saëns, the developer of iPad app Codea, has revealed that bad actors can create and share custom shortcuts to steal personal and highly confidential information from your phone. Just recently, he was tipped about a malicious shortcut, which posed as a regular memory cleaner but actually siphoned off information from iPhones, uploaded it online, and sent its link to an attacker via iMessage.
Twitter Post
Here's what the developer tweeted
I’ve just been made aware (by @AvimanyuRoy3) that it is trivially easy to steal highly sensitive personal information from an iPhone via Shortcuts
— Simeon (@twolivesleft) January 23, 2019
Just browsing through the malicious Shortcut is mind blowing
You'll be unsettled what your phone has on you /1
Information
And, it stole a trove of information
And, what's even more worrying is the amount of information an attacker could mine using Shortcuts. In this particular case, it was "personal contacts, names you've typed into iMessage, addresses, browsing history, app usage, [and] file contents".
Apple's fix
Apple notified about the issue, but questions remain
Simeon has contacted Apple regarding the issue and hopes that the malicious Shortcut would be removed soon. However, that's not the real issue; lack of oversight and regulation of Siri Shortcuts (like iOS apps) is the main problem. "You couldn't expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link," the developer emphasized on Twitter.
Recommendation
So, watch out when you download Siri Shortcuts
That said, it is imperative to note that anyone can create and share Siri Shortcuts, even someone who wants to mine your data. To avoid malicious Shortcuts, it is recommended to exercise caution while downloading and installing intriguing shortcuts available through Reddit threads or websites like ShortcutsGallery.com. As an additional step, go through comments to make sure if they work as promised or not.