CalvinBackup/iOS18.6.2-Persistent-Automation-Exploit-in-Siri-Shortcuts-and-Apple-SWC
1
0
Fork 0
mirror of https://github.com/JGoyd/iOS18.6.2-Persistent-Automation-Exploit-in-Siri-Shortcuts-and-Apple-SWC.git synced 2026-02-12 13:22:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
iOS18.6.2-Persistent-Automa…/README.md
Joseph Goydish II 191921ab76 Update README.md
2025-11-06 15:39:30 -05:00

114 lines
4.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Improper Input Validation in Siri Shortcuts and Shared Web Credentials (Zero Day Disclosure)
**Discovered by:** Joseph Goydish II
**Date Discovered:** August 20, 2025
**Severity:** High
**Proposed CVSS v4.0 Base Score:** 7.4 (High)
---
## Executive Summary
This report outlines a high-severity vulnerability chain affecting Apples Siri Shortcuts and Shared Web Credentials (SWC) framework. The flaws allow malformed payloads to execute silently in the background, bypassing input validation, sandboxing, and user prompts. These workflows persist across reboots and relaunches and can trigger sensitive system daemons without proper entitlement.
---
## Key Consequences
* Silent background execution of malformed Shortcut workflows
* Unauthorized sandbox extension requests from system daemons
* Persistent retry storms in `swcd` (observed: 71+ retries)
* TLS trust degradation — certificate mismatches are tolerated
* Workflow persistence across device reboot and relaunch
---
## Detection Context
* **Device:** iPhone 14 Pro Max
* **OS Version:** iOS 18.6.2
* **State:** Live, in-field (production)
* **Exploitation Status:** Proven, persistent, and reproducible
---
## Affected Components
| Component | Description |
| ------------------------ | ---------------------------------------------------------- |
| com.apple.Shortcuts | Executes malformed payloads without validation |
| BackgroundShortcutRunner | Executes workflows silently in background |
| com.apple.siriknowledged | Issues sandbox extension requests from malformed workflows |
| com.apple.swcd | Repeatedly retries malformed JSON and ignores TLS errors |
| searchd, symptomsd | Triggered without entitlement via chained payloads |
| iOS/macOS | All versions supporting Siri Shortcuts and SWC |
---
## Vulnerability Details
### 1. Improper Shortcut Parsing
* Allows null fields (e.g., `WFLinkEntityContentItem.title = null`)
* No schema enforcement or fail-fast behavior during execution
### 2. Silent Background Execution
* Triggers via `BackgroundShortcutRunner` with no user prompt or visual indicator
* Circumvents user interaction models intended by Siri Shortcuts
### 3. Retry Storms in `swcd`
* Observed 71+ retries on malformed JSON submissions
* Ignores TLS certificate mismatches, violating security expectations
### 4. Sandbox Extension Requests
* System daemons request elevated entitlements based on malformed workflows
* Lacks origin validation and fails to enforce sandbox boundaries
### 5. Workflow Persistence
* Malformed workflows stored in `/var/mobile/Library/Shortcuts/`
* Automatically re-triggered upon device reboot or application relaunch
---
## Delivery Vectors
| Vector | Description |
| -------------------- | --------------------------------------------------------- |
| iCloud Shortcut Sync | Syncs malformed workflows silently across trusted devices |
| MobileDevice API | Allows injection of payloads via iTunes/MDM interfaces |
| Automation Profiles | Enables timed or trigger-based execution without consent |
---
## Artifact Snapshot (`swcutil --show`)
Example output:
```
[swcd] Error: Received malformed JSON blob
[swcd] Retrying request... (71/∞)
[swcd] TLS validation failed: continuing without certificate trust
```
---
## Recommendations
* Implement strict schema validation for all Shortcut-related data
* Enforce proper TLS certificate validation in SWC service communications
* Prevent `BackgroundShortcutRunner` from executing unverified workflows
* Log and monitor all sandbox extension requests for anomaly detection
* Add controls to prevent malformed workflows from persisting post-reboot
---
## Conclusion
This vulnerability affects a broad part of the Apple ecosystem by combining automation logic, credential handling, and background execution flows. Without proper controls, attackers may be able to persist stealthy logic flows across system sessions and abuse system trust boundaries. In-the-wild exploitation has been identified, the reproducibility and persistence characteristics elevate the risk considerably.
---
Reference in New Issue View Git Blame Copy Permalink