This vulnerability affects iOS 13, 14, and (at the time of writing) iOS 15, though with significant limitations in iOS 15. The bug was discovered by me, Snoolie, and involves the Shortcuts app's Extract Archive action.
The Vulnerability
The Shortcuts app's Extract Archive action has a path traversal vulnerability that allows writing to restricted directories. By creating a zip file and using the "Set Name" action to specify a path with dot notation (like ../../../../../../../../../../private/var/mobile/Library/WebClips/testingzip.zip), the Extract Archive action can create folders in system directories like WebClips.
While these folders are normally auto-deleted when the shortcut finishes execution, they persist if the shortcut crashes or is force-closed before completion. This is particularly concerning because .webclip files are essentially folders, making them vulnerable to this technique.
Example Proof of Concept: iCloud Shortcut Link
iOS 15 / macOS Monterey Mitigation
While the core vulnerability still exists in iOS 15, Apple implemented significant security improvements that limit its impact. In iOS 15, built-in shortcut actions now operate with different privileges than the Shortcuts app itself. While the Shortcuts app retains write access to directories like /var/mobile/Library/WebClips, individual actions are restricted to the iCloud~is~workflow~my~workflows directory.
Attempts to bypass this restriction by creating symlinks from the allowed directory to protected locations are blocked. The remaining attack surface is limited to:
- Writing to the workflows directory without requiring Save File permission
- Only initial folder creation (no overwriting existing files)
- Restricted to initial write operations on folders only
Acknowledgments
Special thanks to the Shortcuts Hacking Discord community for their support and collaboration.
