In February 2021, Detectify co-founder and Crowdsource hacker Frans Rosén was looking for security bugs in Apple services. Noticing that many of Apple’s own apps store their data in public databases on Apple’s data storage framework CloudKit, Rosén was curious to know if any specific apps’ data could be modified with access to the public CloudKit containers in which their data was stored.
Long story short, they could. He found that several Apple apps had bugs related to permissions to the public scope in CloudKit – meaning that he, and potentially other unauthorized persons, could modify and even erase public and personal content on specific Apple websites and apps.
He hacked his way into iCrowd+ and Apple News, and even unintentionally took Shortcuts temporarily offline. The Apple Security team was quick to take action in response to Frans’ findings.
To understand where CloudKit was used by Apple themselves, Rosén started by looking into how all the different apps connected to it. By proxying all Apple-owned apps and browser content and analyzing the requests and responses, he could see different APIs [application programming interfaces] were being used to connect to CloudKit.
CloudKit has different databases that let you separate app information by access type or function: A Private scope, only accessible by your own user, a Shared one used for data being shared between users, and a Public one, accessible by anyone – some parts with a public API-token, and some with authentication (with some exceptions). Each database has zones, which also have permissions set on them. See below for a short description of how CloudKit is structured.
The bug findings
With knowledge of the different types of API connections utilized, Rosén started testing permissions regarding the data he could publish into CloudKit’s Public scope.
He found several bugs related to permissions in CloudKit pertaining to iCrowd+, Apple News and Shortcuts, that in different ways allowed him to modify publicly visible and personal content on the apps.
The vulnerability found in Shortcuts in March 2021 was the most significant one. It caused all Shortcut sharing links to break, and it was quickly noticed amongst Apple users, media reporters, and especially Shortcuts fans.
The Shortcuts bug
Shortcuts allow you to create logical flows that can be launched automatically or manually which then triggers different actions across your apps on iOS-devices. Many Shortcuts users have integrated these into their daily routines to automate away some of the more tedious tasks in life. These shortcuts can be shared with other people using iCloud-links. When you share a shortcut, a record with the record type SharedShortcut will be created in the Public scope.
As part of the process of testing different Apple apps connected to CloudKit, Rosén had previously tried deleting public zones but got “permission denied” – all according to the documentation.
But when testing permissions in the Shortcuts CloudKit database, he suddenly got an “OK” when he attempted to delete the default zone.
Rosén could see that there was still a default zone existing, even if it was first deleted. But when he tried some links to already shared shortcuts inside the Public scope, all gave 404. The same thing happened when opened the Shortcuts app on his phone.
Rosén immediately informed Apple Security about the issue, excusing himself for not really seeing a different way to spot this bug. They confirmed they had received the information and asked him to stop testing, which he obliged to immediately.
Rosén was not the only one noticing that Shortcuts was broken as the community on Twitter immediately started broadcasting the issue. Several news outlets and podcasts picked up the news.
The day after, Apple explained publicly that they were working on a fix, and they were quick to remediate the issue and restore Shortcuts. Rosén was rewarded $28,000 for his finding.
And here’s a short description of how CloudKit is structured:
- You create a container with a name. Suggested format is reversed domain structure, like com.apple.xxx. All containers you create yourself will begin with iCloud.
- Inside the container you have two environments, Development and Production.
- Inside the environments you have three different scopes, Private, Shared and Public. Private is only accessible by your own user. Shared is used for data being shared between users and Public is accessible by anyone, some parts with a public API-token, and some with authentication (with some exceptions).
- Inside each scope, you have different zones you can create. Default zone is called _defaultZone.
- Inside each zone, you have different record types that you can create yourself.
- Each record type can contain different record fields, these fields can save different types of data, like INT, BOOLEAN, TEXT, BINARY etc.
- Inside each zone you also have records. Each record is always connected to a record type.