If you were in the Shortcuts community at the time, you would know how much of a mess iOS 15 was for Shortcuts. Granted; I don't really believe the Shortcuts editor has ever been perfect in hindsight, iOS 13 and 14 still did have a lot of bugs, but they were generally able to be worked around, if not a little annoyingly and the editor still felt smooth. iOS 15 at launch was very controversal at launch due to the severe amount of issues that plagued it, it was almost unusable. It's still not perfect nowadays, but at launch it was especially awful. I do not blame the Shortcuts team at all however; keep in mind this was a time where every year they constantly had to reinvent the app, first with iOS 12 and the transition from Workflow to Siri Shortcuts, then with iOS 13 with a new redesign and flow for Shortcuts and being more baked into the System, iOS 14 which wasn't as big of a change but still did overhaul the main front of the app, and iOS 15 in particular had the team both rewrite the UI in SwiftUI and develop a new macOS application for it. From the outside view, looking back it seemed that the team just had too much to do in too little time. It does seem as they have thankfully gotten a break over the years, as iOS 16 and 17 were not huge redesigns of the app, rather they took time to overall improve it over time, and I still do hear criticism of it but far less.
I bring this background up today, as it brings context into how the Shortcuts team needing to rush an update caused them to overlook many cruicial things while rewriting it. This ultimately led to perhaps the most dangerous Shortcuts vulnerability to date: The Hidden Actions Vulnerability. It existed for only a short timeframe, that being from iOS 15 to 15.3.1 before getting patched in iOS 15.4, but it is still the most unique bug I've known to Shortcuts to this day. This is the story of that bug, and how I never got credited for reporting it.
Shortcuts PLISTs
To understand this bug, we need to understand how Shortcuts are initially stored. Shortcuts are stored in generic PLISTs that represent their actions. Take a look at this very old, bad writeup I did of it way back. Conditionals, funny enough, are 2 to 3 actions, with the If, Else, and End If all counting towards the action count. is.workflow.actions.conditional is the action that handles them. How Shortcuts determines if it is a If, Else If, or End If is via WFControlFlowMode. So, what happens when the value is a value that Shortcuts doesn't account for?
The vulnerability
Yep, it's that simple. If it isn't a value shortcuts can display, Shortcuts fails at loading the action properly, so as a failsafe it doesn't display the action. Since it is a conditional, it can't display actions after it, so it removes them too. This is a very simple but extremely harmful vulnerability, so I reported it. And this is where I fucked up.
The report
At the time, I was a stupid 15 year old. I posted the video to reddit as a POC before I would actually report it to Apple. You can see the video here as proof that I'm not bullshitting and did actually find it before I reported and before the bug was patched. This already is questionable since I'm not exactly sure if you are allowed to disclose that this type of vulnerability exists beforehand, but I made sure not to display what the vulnerability was so no one could replicate it, so perhaps it was still fine, or at least disqualified for bounty but acceptable for credit. Now here's the part where I really fucked up: So, for CVE-2021-30763, I reported it directly to Apple Product Security. Instead of doing that like how you are supposed to do, at the time I actually had contact with some of the Shortcuts developers, and reported it directly to them instead. Big fuck up. This was very very stupid of me to do, as it basically squandered my chances of this ever getting a CVE, which hurts as in my opinion this is still one of the worst bugs I have found. Nonetheless, I am very happy I have matured and learned not to do something incredibly stupid like that again.