macOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

A race condition vulnerability in Apple’s WorkflowKit has been identified, allowing malicious applications to intercept and manipulate shortcuts on macOS systems.

This vulnerability, cataloged as CVE-2024-27821, affects the shortcut extraction and generation processes within the WorkflowKit framework, which is integral to the Shortcuts app on macOS Sonoma.

macOS WorkflowKit Race Vulnerability

The vulnerability arises from a race condition in the method responsible for extracting signed shortcut files. The method -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:] contains a flaw that can be exploited by malicious apps.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

These apps can intercept shortcut files during the import process, bypassing the need for a valid signature check. The exploitation involves modifying the extracted files before they are finalized, allowing an attacker to inject malicious code into shortcuts without user consent.

Moreover, another race condition was discovered in the method generateSignedShortcutFileRepresentationWithPrivateKey:signingContext:error.

This flaw allows for similar interception and modification during the generation of signed shortcuts. By manipulating directory paths and using symbolic links, attackers can replace legitimate shortcuts with altered versions during the signing process.

The implications of this vulnerability are significant. Malicious apps could potentially run silently in the background, intercepting shortcuts shared or imported by users.

This could lead to unauthorized access to sensitive user data or execution of unintended actions within shortcuts. The vulnerability underscores the importance of robust path handling and validation mechanisms in software development.

Apple has addressed this vulnerability in macOS Sonoma 14.5 by implementing additional sandbox restrictions and improving path validation processes.

This patch prevents unauthorized access to temporary directories used during shortcut extraction and generation, effectively mitigating the risk of exploitation.

The discovery and reporting of this vulnerability were credited to security researchers Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit) of Kandji. Their efforts highlight the ongoing need for vigilance in identifying and addressing security flaws in widely used software frameworks.

While Apple has promptly addressed this issue with a patch, users are advised to update their systems to macOS Sonoma 14.5 or later to ensure protection against potential exploits.

For developers and security professionals, this case emphasizes the importance of understanding race conditions and implementing comprehensive security measures to prevent similar vulnerabilities in future software releases.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free