Bouke van der Bijl

CVE-2021-1831 Shortcuts File Read Outside of Sandbox

May 2021

iOS 14.5 included a security fix for a security issue I reported. The vulnerability is in the Shortcuts framework, which allows apps to add additional actions to Shortcuts. The issue is in INFile.init(fileURL:filename:typeIdentifier:), which allows the extension to return a file. The problem is there is no check that fileURL is within the app sandbox of the app extension, so the extension can expose files within the sandbox of Shortcuts, making it possible to read and write files that the user should not have access to.

The impact of this is not very big, you can’t edit the settings files of Shortcuts for example because those have an additional sandboxing measure applied to them. It mostly allowed for reading some files in the Shortcuts cache, which could leak cached location data for example.

It was a fun vulnerability to find! Besides an acknowledgement in the release notes I didn’t get any reward for it, which considering the small impact is fair in my opinion. I do think that because of the pervasiveness of the Shortcuts framework (it’s basically integrated everywhere at this point) that there is still other vulnerabilities to find.