Apple devices: Internet permission bypass via shortcut (CVE-2024-40787) #shorts #breaking

CVE

This CVE, identified as CVE-2024-40787, reveals a vulnerability where a shortcut can bypass Internet permission requirements on Apple devices. This issue affects iOS, iPadOS, macOS, and watchOS, and was first discovered 0 months ago. Although it is not an 0-day vulnerability, it is significant because it allows potential attackers to gain unauthorized Internet access without user consent. The primary concern is that this vulnerability could be exploited on any Apple device, putting all users at risk. The issue has been addressed by requiring an additional prompt for user consent.

Watch the full video on YouTube: CVE-2024-40787

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

CVE database technical details

CVE ID

CVE-2024-40787

Description

This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, macOS Sonoma 14.6. A shortcut may be able to bypass Internet permission requirements.

Provider

apple

CWE / problem types

A shortcut may be able to bypass Internet permission requirements

Affected Software Versions

Apple:iOS and iPadOS:[{'version': 'unspecified', 'status': 'affected', 'lessThan': '17.6', 'versionType': 'custom'}],Apple:macOS:[{'version': 'unspecified', 'status': 'affected', 'lessThan': '13.6', 'versionType': 'custom'}],Apple:watchOS:[{'version': 'unspecified', 'status': 'affected', 'lessThan': '10.6', 'versionType': 'custom'}],Apple:macOS:[{'version': 'unspecified', 'status': 'affected', 'lessThan': '14.6', 'versionType': 'custom'}],Apple:macOS:[{'version': 'unspecified', 'status': 'affected', 'lessThan': '12.7', 'versionType': 'custom'}]

Date Published

2024-07-29T22:16:42.833Z

Last Updated

2025-03-13T18:47:15.731Z