How ethical hacker Frans Rosén deleted your Apple Shortcuts via CloudKit

SHORT SUMMARY: STOCKHOLM, SWEDEN – In February 2021, Detectify co-founder and Crowdsource hacker Frans Rosén was looking for security bugs in Apple services. Noticing that many of Apple’s own apps store their data in public databases on Apple’s data storage framework CloudKit, Frans was curious to know if any specific apps’ data could be modified with access to the public CloudKit containers in which their data was stored. Long story short, they could.

Security misconfigurations found in Cloudkit

Frans found that several Apple apps had bugs related to permissions to the public scope in CloudKit – meaning that he, and potentially other unauthorized persons, could modify and even erase public and personal content on specific Apple websites and apps. By leveraging these security misconfigurations, he hacked his way into iCrowd+ and Apple News, and even unintentionally took Shortcuts temporarily offline.

The Apple Security team was quick to take action in response to Frans’ findings. All bugs have been fixed. See the technical report from Frans Rosen on Detectify Labs.

Understanding Cloudkit

To understand where CloudKit was used by Apple themselves, Frans started by looking into how all the different apps connected to it. By proxying all Apple-owned apps and browser content and analysing the requests and responses, he could see different APIs were being used to connect to CloudKit. 

CloudKit has different databases that let you separate app information by access type or function:

• A Private scope, only accessible by your own user
• Shared one used for data being shared between users
• Public one, accessible by anyone – some parts with a public API-token, and some with authentication (with some exceptions).

Each database has zones, which also have permissions set on them. A short description of how CloudKit is structured follows at the end of this article.

The bugs found in CloudKit

With knowledge of the different types of API connections utilized, Frans started testing permissions regarding the data he could publish into CloudKit’s Public scope. 

He found several bugs related to permissions in CloudKit pertaining to iCrowd+, Apple News and Shortcuts, that in different ways allowed him to modify publicly visible and personal content on the apps. 

The vulnerability found in Shortcuts in March 2021 was the most significant one. It caused all Shortcut sharing links to break, and it was quickly noticed amongst Apple users, media reporters, and especially Shortcuts fans.

Accidentally taking down Shortcuts

Shortcuts allow you to create logical flows that can be launched automatically or manually which then triggers different actions across your apps on iOS-devices. Many Shortcuts users have integrated these into their daily routines to automate away some of the more tedious tasks in life. These shortcuts can be shared with other people using iCloud-links. When you share a shortcut, a record with the record type SharedShortcut will be created in the Public scope.

As part of the process of testing different Apple apps connected to CloudKit, Frans had previously tried deleting public zones but got “permission denied” – all according to the documentation.

But when testing permissions in the Shortcuts CloudKit database, Frans suddenly got an “OK” when he attempted to delete the default zone.

He could see that there was still a default zone existing, even if it was first deleted. But when he tried some links to already shared shortcuts inside the Public scope, all gave 404. The same thing happened when opened the Shortcuts app on his phone.

All bugs were responsibly disclosed

Frans immediately informed Apple Security about the issue, excusing himself for not really seeing a different way to spot this bug. They confirmed they had received the information and asked him to stop testing, which he obliged to immediately.

Frans was not the only one noticing that Shortcuts was broken as the community on Twitter immediately started broadcasting the issue. Several news outlets and podcasts picked up the news. 

The day after, Apple explained publicly that they were working on a fix, and they were quick to remediate the issue and restore Shortcuts. Frans was rewarded $28,000 for his finding.

View the full technical report from Frans Rosen on Detectify Labs.

Short description of how CloudKit is structured:

1. You create a container with a name. Suggested format is reversed domain structure, like com.apple.xxx. All containers you create yourself will begin with iCloud.
2. Inside the container you have two environments, Development and Production.
3. Inside the environments you have three different scopes, Private, Shared and Public. Private is only accessible by your own user. Shared is used for data being shared between users and Public is accessible by anyone, some parts with a public API-token, and some with authentication (with some exceptions, I’ll get to that below).
4. Inside each scope, you have different zones you can create. Default zone is called _defaultZone.
5. Inside each zone, you have different record types that you can create yourself.
6. Each record type can contain different record fields, these fields can save different types of data, like INT, BOOLEAN, TEXT, BINARY etc.
7. Inside each zone you also have records. Each record is always connected to a record type.

For more information, please contact:

Fredrika Isaksson, PR Manager
[email protected]
or [email protected]
+46 (0) 76 – 774 96 66

Tanaya Lukaszewski
Offleash for Detectify
[email protected]

About Detectify

A challenger to conventional application security, Detectify automates the latest security knowledge from leading ethical hackers and brings it into the hands of security defenders and web application teams. Powered by a network of handpicked ethical hackers, Detectify’s web vulnerability scanner checks your application beyond the OWASP Top 10 and helps you stay on top of threats in the cloud.

What will Detectify find in your web apps? Start a free 2-week trial of Detectify today.