Researcher testing Apple CloudKit accidentally took Shortcuts completely down

AppleInsiderAppleInsider
Posted:
in General Discussion
A security researcher has explained how his investigation into Apple's CloudKit platform inadvertently brought down Siri Shortcuts earlier in 2021.

Credit: AppleInsider
Credit: AppleInsider


Frans Rosen, a bug bounty hunter for security firm Detectify, on Monday revealed that he had accidentally broke Shortcut sharing links while probing a misconfiguration in Apple's CloudKit system.

Earlier in 2021, Rosen said he was examining the security of Apple's services -- and specifically CloudKit. Since many of Apple's own apps stored information in CloudKit databases, he was curious whether or not any specific app data could be modified by getting access to a public CloudKit container.

While investigating permissions in the CloudKit containers, he found several vulnerabilities related to iCrowd+, Apple News, and Shortcuts. At one point, he was able to delete a default zone without the proper permissions because of an Apple misconfiguration. That simple move, essentially, broke Shortcuts.

"All of them were gone. I now realized that the deletion did somehow work, but that the _defaultZone never disappeared," the researcher wrote. "When I tried sharing a new shortcut, it also did not work, at least not to begin with, most likely due to the record types also being deleted."

Rosen said he immediately reached out to Apple's security team, who told him to stop testing the system. The team then worked to resolve the issue, restoring Shortcuts and patching the problem by removing the options to delete or create public zones.

According to Rosen, the vulnerabilities did not allow him to access any private or user information. He was awarded a $28,000 bounty for his discovery by Apple's security team.

"Approaching CloudKit for bugs turned out to be a lot of fun, a bit scary, and a really good example of what a real deep-dive into one technology can result in when hunting bugs," Rosen said. "The Apple Security team was incredibly helpful and professional throughout the process of reporting these issues."

Read on AppleInsider

Comments

  • Reply 1 of 9
    rob53rob53 Posts: 3,251member
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    watto_cobra
  • Reply 2 of 9
    chadbagchadbag Posts: 2,000member
    To the editor: “ on Monday revealed that he had accidentally broken Shortcut sharing links” (note “broken”, not “broke”)
    forgot usernameelijahgwatto_cobra
  • Reply 3 of 9
    crowleycrowley Posts: 10,453member
    iCrowd+ ? :smiley: 
    elijahg
  • Reply 4 of 9
    mikewallacemikewallace Posts: 10member
    rob53 said:
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    Couldn’t agree more. 

    Anyone doing actual scientific research should not be testing live servers as they can not be certain that what they are finding is solely due to their actions. That’s just basic methodology that’s being ignored.

    If I take joy in driving at an excessive speed, instead of being fined when caught should I be paid a bounty by claiming I am testing vehicle performance and or roadway characteristics?

    rob53uraharawatto_cobra
  • Reply 5 of 9
    crowleycrowley Posts: 10,453member

    rob53 said:
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    Give over, this was Apple's fault.  Don't blame the good guys who report this stuff, or we'll soon not have anyone reporting this stuff.
    StrangeDayselijahgneoncatappleinsideruser
  • Reply 6 of 9
    StrangeDaysStrangeDays Posts: 12,877member
    rob53 said:
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    If it’s a public facing system it’s fair game to test on within reason, which this sounds to be. It isn’t like he launched a DoS attack on it. I’d rather have him discover it than a malicious user. 
    muthuk_vanalingamMplsPelijahgneoncatroundaboutnowappleinsideruser
  • Reply 7 of 9
    rob53rob53 Posts: 3,251member
    rob53 said:
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what no they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    If it’s a public facing system it’s fair game to test on within reason, which this sounds to be. It isn’t like he launched a DoS attack on it. I’d rather have him discover it than a malicious user. 
    Or a malicious company? The guy is a paid bounty hunter for Detectify, whoever that is. 

    From labs.detectify.com

    Detectify releases Ugly Duckling, an open-source web scanner for ethical hackers DetectifyCrowdsource open-source scanner CVE-2020-29653: Stealing Froxlor login credentials using dangling markup ….

    Ethical hackers? 
    edited September 2021 watto_cobra
  • Reply 8 of 9
    uraharaurahara Posts: 733member
    StrangeDays said:
    rob53 said:
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    If it’s a public facing system it’s fair game to test on within reason, which this sounds to be. It isn’t like he launched a DoS attack on it. I’d rather have him discover it than a malicious user. 
    You mean ‘rather him than a malicious user who takes Shortcuts system completely down’?
    watto_cobra
  • Reply 9 of 9
    king editor the grateking editor the grate Posts: 646member
    urahara said:
    StrangeDays said:
    rob53 said:
    "Frans Rosen, a bug bounty hunter for security firm Detectify" and the title calls him a researcher? He's a hacker, plain and simple. True security researchers don't allow what they're doing to impact people outside their local testing net. I don't care if Apple gave him some money, I'd like to see how many people he affected so he can use that money to pay them for breaking the system.
    If it’s a public facing system it’s fair game to test on within reason, which this sounds to be. It isn’t like he launched a DoS attack on it. I’d rather have him discover it than a malicious user. 
    You mean ‘rather him than a malicious user who takes Shortcuts system completely down’?
    Doing so accidentally and immediately reporting can be described many ways, but it is not malicious.
    watto_cobra
Sign In or Register to comment.