(iOS 18.6.2) Improper Input Validation in Siri Shortcuts and Shared Web Credentials
Siri Shortcuts 和 Shared Web Credentials 存在输入验证漏洞,导致背景静默执行无效工作流、重试风暴(最多71次)及沙盒扩展滥用。该漏洞影响 iOS/macOS 支持 Siri Shortcuts 的版本(如 iOS 18.6.2),CVSS 评分 7.4。建议修复包括拒绝错误输入、限制重试次数及加强 TLS 验证。 2025-9-8 22:7:15 Author: seclists.org(查看原文) 阅读量:6 收藏
Siri Shortcuts 和 Shared Web Credentials 存在输入验证漏洞,导致背景静默执行无效工作流、重试风暴(最多71次)及沙盒扩展滥用。该漏洞影响 iOS/macOS 支持 Siri Shortcuts 的版本(如 iOS 18.6.2),CVSS 评分 7.4。建议修复包括拒绝错误输入、限制重试次数及加强 TLS 验证。 2025-9-8 22:7:15 Author: seclists.org(查看原文) 阅读量:6 收藏
Full Disclosure mailing list archives
From: josephgoyd via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 21 Aug 2025 01:06:55 +0000
Improper Input Validation in Siri Shortcuts and Shared Web Credentials Enables Persistent Background Execution, Retry Storms, and Sandbox Extension Abuse Date Discovered: August 20, 2025 Discovered By: Joseph Goydish II Affected: - iOS/macOS versions supporting Siri Shortcuts + Shared Web Credentials (SWC) - Confirmed on iPhone 14 pro max / iOS 18.6.2 CWE Classification: - CWE-20: Improper Input Validation - CWE-184: Incomplete List of Disallowed Inputs - CWE-307: Improper Restriction of Excessive Authentication Attempts - CWE-284: Improper Access Control Impact Summary: - Silent and persistent background execution of invalid workflows - Unauthorized sandbox extension requests from system daemons - Retry storms (71 attempts observed) in swcd - TLS trust mismatches ignored during repeated network requests - Persistence across reboots and relaunch CVSS v4.0 Base Score: 7.4 (High) Vulnerability Details: 1. Siri Shortcuts accepts malformed payloads containing null fields (e.g., WFLinkEntityContentItem.title) without rejection. 2. BackgroundShortcutRunner executes payloads silently, no error or notification. 3. swcd retries malformed JSON responses up to 71 times, ignoring TLS mismatches. 4. System daemons (siriknowledged, searchd) issue entitlement requests despite denial. 5. Malicious automations persist after reboot or app relaunch. Delivery Vectors: - Injection via iCloud Shortcut sync or MobileDevice API - Stored at /var/mobile/Library/Shortcuts/ - Auto-triggered via automation profiles Suggested Remediations: - Siri Shortcuts: Reject malformed inputs - SWC: Cap retries to 3 - TLS: Enforce strict chain validation, abort on mismatch - Automation framework: Require runtime permission for network-enabled workflows - Logging: Flag anomalous retry patterns Artifacts: - swcutil dump (Aug 20, 2025) - Console trace (video capture available) Full technical report (PDF): https://github.com/JGoyd/iOS18.6.2-Persistent-Automation-Exploit-in-Siri-Shortcuts-and-Apple-SWC --- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- (iOS 18.6.2) Improper Input Validation in Siri Shortcuts and Shared Web Credentials josephgoyd via Fulldisclosure (Sep 08)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/5
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh