Snoolie's Blog

In 2020, I was big into Shortcuts. I was fairly active in the Shortcuts community at the time, but during this time I was also experiencing a transition over to the jailbreak community, and wanted to find bugs in Shortcuts. Back in January 2021 or older, I would accidentally discover an awesome internet permission bypass. While low impact, I am still proud of it, and it was my first CVE I discovered back when I was just 14(!!!).

Shortcuts and URLs

How Shortcuts checks for internet permission in iOS 13 and 14 was that it checked URLs and made sure they were internet URLs. This is to ensure that data:// URLs to display generic text don't trigger a internet permission prompt when they don't need one. Any URL without a protocol is automatically assumed to be from internet, but data:// and file:// URLs are not. Shortcuts checks for https:// and http:// to check if it is an internet URL.

The bug

So turns out, you don't need to have 2 slashes in a URL. All you need is one. https:/someurl.com will still work and, since it is not https://, instead https:/, it is interpereted as a different protocol and does not warn.

Wait, that's it?

Yeah, believe it or not, that's all the bug was. I stumbled upon it completely by accident and was really happy I did. I don't have record of the actual email I sent to Apple Product Security, but I did copy the email before I sent it just as a backup and judging by my file dates, I reported this on Febuary 7, 2021.

The... "patch"

Apple credited this in iOS 14.7, watchOS 7.6 etc. as CVE-2021-30763; weirdly enough, not Shortcuts but as ActionKit. I sort of get this, while also not; ActionKit is the backend PrivateFramework of Shortcuts, so I can see why Apple credited ActionKit and not Shortcuts if it existed there, since technically it is not a Shortcuts vulnerability and with ActionKit. But at the same time, ActionKit is a private framework that only Shortcuts is allowed to use... in the end it made it be at the top of the page though, which I was really happy to be the first credit in the release notes at the time.

The thing is though... they never actually "patched" it fully, at least not until iOS 15 as that got a complete rewrite for the URL validation logic. Instead, specifically in the Get Contents of URL action, they added code that prevented ":/" from working for schemes, rather than making it check https:. It is actually still exploitable after the patch, as other actions can access the internet, for example putting this URL and then a make archive and extract archive action will still send a GET request to the server and it will not prompt... this was fully patched in iOS 15 however. Even if looking back, the impact of this is so small that I don't even know if I would report it today, I am still happy I did as it got me my first CVE credit at 14, which motivated me heavily to do security research. Even if the bug isn't actually that cool, it does hold a place in my heart as weird as that may be.