Wednesday, May 7, 2025
HomeCyber Security NewsmacOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

macOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

Published on

SIEM as a Service

Follow Us on Google News

A race condition vulnerability in Apple’s WorkflowKit has been identified, allowing malicious applications to intercept and manipulate shortcuts on macOS systems.

This vulnerability, cataloged as CVE-2024-27821, affects the shortcut extraction and generation processes within the WorkflowKit framework, which is integral to the Shortcuts app on macOS Sonoma.

macOS WorkflowKit Race Vulnerability

The vulnerability arises from a race condition in the method responsible for extracting signed shortcut files. The method -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:] contains a flaw that can be exploited by malicious apps.

- Advertisement - Google News

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

These apps can intercept shortcut files during the import process, bypassing the need for a valid signature check. The exploitation involves modifying the extracted files before they are finalized, allowing an attacker to inject malicious code into shortcuts without user consent.

Moreover, another race condition was discovered in the method generateSignedShortcutFileRepresentationWithPrivateKey:signingContext:error.

This flaw allows for similar interception and modification during the generation of signed shortcuts. By manipulating directory paths and using symbolic links, attackers can replace legitimate shortcuts with altered versions during the signing process.

The implications of this vulnerability are significant. Malicious apps could potentially run silently in the background, intercepting shortcuts shared or imported by users.

This could lead to unauthorized access to sensitive user data or execution of unintended actions within shortcuts. The vulnerability underscores the importance of robust path handling and validation mechanisms in software development.

Apple has addressed this vulnerability in macOS Sonoma 14.5 by implementing additional sandbox restrictions and improving path validation processes.

This patch prevents unauthorized access to temporary directories used during shortcut extraction and generation, effectively mitigating the risk of exploitation.

The discovery and reporting of this vulnerability were credited to security researchers Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit) of Kandji. Their efforts highlight the ongoing need for vigilance in identifying and addressing security flaws in widely used software frameworks.

While Apple has promptly addressed this issue with a patch, users are advised to update their systems to macOS Sonoma 14.5 or later to ensure protection against potential exploits.

For developers and security professionals, this case emphasizes the importance of understanding race conditions and implementing comprehensive security measures to prevent similar vulnerabilities in future software releases.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...