Watch out! Siri Shortcuts on iOS can steal confidential data
With the launch of iOS 12 last year, Apple introduced Siri Shortcuts as a cool new way to automate complex tasks. The company offered its own pre-designed set of Shortcuts and even gave users an option to create/share custom shortcuts for different tasks. But, as it turns out, the same flexibility from the Cupertino giant opens gates for stealing data from iPhones. Here's how.
How Shortcuts can be used to steal data?
Simeon Saëns, the developer of iPad app Codea, has revealed that bad actors can create and share custom shortcuts to steal personal and highly confidential information from your phone. Just recently, he was tipped about a malicious shortcut, which posed as a regular memory cleaner but actually siphoned off information from iPhones, uploaded it online, and sent its link to an attacker via iMessage.
Here's what the developer tweeted
And, it stole a trove of information
And, what's even more worrying is the amount of information an attacker could mine using Shortcuts. In this particular case, it was "personal contacts, names you've typed into iMessage, addresses, browsing history, app usage, [and] file contents".
Apple notified about the issue, but questions remain
Simeon has contacted Apple regarding the issue and hopes that the malicious Shortcut would be removed soon. However, that's not the real issue; lack of oversight and regulation of Siri Shortcuts (like iOS apps) is the main problem. "You couldn't expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link," the developer emphasized on Twitter.
So, watch out when you download Siri Shortcuts
That said, it is imperative to note that anyone can create and share Siri Shortcuts, even someone who wants to mine your data. To avoid malicious Shortcuts, it is recommended to exercise caution while downloading and installing intriguing shortcuts available through Reddit threads or websites like ShortcutsGallery.com. As an additional step, go through comments to make sure if they work as promised or not.
