Now we all know who broke all the Apple Shortcuts in 2021

Oops…

Apple Shortcuts broke for Apple users worldwide earlier this year, and it turns out that a security researcher exploring bugs in CloudKit accidentally caused the problem when he found a security flaw, reports Swedish security firm, Detectify.

Kicking around the iCloud

The flaw was first found by Swedish ethical hacker and Detectify co-founder, Frans Rosén.

He found a range of serious vulnerabilities, including flaws which let him modify or erase content on Apple’s websites, iCloud, and Apple News. He informed Apple and the company immediately fixed the problem, Detectify revealed today.

Rosén found that data could be modified with access to the public CloudKit containers in which data was stored. He hacked his way into Apple’s systems and at one point unintendedly took Shortcuts temporarily offline.

What happened for users is that all existing Shorcuts temporarily disappeared. This caused a lot of heartache, including from the man widely regarded as the nicest man in Apple journalism, Federico Viticci, who wrote at the time:

Okay, WTF.

The entire @macstoriesnet Shortcuts Archive has broken links right now. None of the links to my hundreds of shortcuts are working anymore.

I *seriously* hope Apple has a quick fix for this. https://t.co/MGwB1bRhHD https://t.co/5BMhhbdoqC pic.twitter.com/fbbxuHzW2V

— Federico Viticci (@viticci) March 24, 2021

Rosén says the Apple Security team quickly took action subsequent to him letting them know of the problem and all bugs have now been fixed.

The ‘Eureka’ moment

As part of the process of testing different Apple apps connected to CloudKit, he had previously tried deleting public zones but got “permission denied”, which was a good thing.

What happened is that while testing permissions in the Shortcuts CloudKit database, Frans suddenly got an “OK” when he attempted to delete the default zone.

[Also read: 3+ Siri Shortcuts you’ll use every day]

“He could see that there was still a default zone existing, even if it was first deleted. But when he tried some links to already shared shortcuts inside the Public scope, all gave 404. The same thing happened when opened the Shortcuts app on his phone.”

He also figured out that all Apple News content is also served by CloudKit. While he found hacking this system challenging, he eventually figured out how to change content in News and how to publish stories there. This also worked in the Stocks app, he said.

He contacted Apple to let him know about these bugs, who developed a fix and paid Rosén for the flaws he found. (He earned $64,000 in bug bounty for this work.)

Dig deep into Cloudkit

The hacker revealed a little about CloudKit, telling us it has different databases to separate app-related information by access type or by function.

• APrivate scope, only accessible by your own user
• Shared one used for data being shared between users
• Public one, accessible by anyone – some parts with a public API-token, and some with authentication (with some exceptions).

You can explore an in-depth report explaining Rosén’s work here.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.