Pixel Envy

Written by Nick Heer.

A Security Researcher Accidentally Deleted All Shared Shortcuts Because of ‘Inconsistent’ Security Controls in CloudKit

Remember how, back in March, all links to Shortcuts just stopped working? I had a lot of guesses about why that was — an internal software update went poorly, perhaps? Or maybe a single server’s problems cascaded across an entire data centre? The truth is, as always, far more wild than you might expect.

Frans Rosén of Detectify:

Quite early on I noticed that a lot of Apple’s own apps used a technology called CloudKit and you could say it is Apple’s equivalent to Google’s Firebase. It has a database storage that is possible to authenticate to and directly fetch and save records from the client itself.

[…]

It was quite complex to understand all different authentication flows, and security roles, and this made me curious. Could it be that this was not only complex for me to understand, but also for teams using it internally at Apple? I started investigating where it was being used and for what.

The climax of this post is a screenshot of an email Rosén sent to Apple’s security team with the subject line “Urgent – CloudKit issue, access misconfiguration with com.apple.shortcuts, accidentally deleted whole public _defaultZone and now gallery and all shared shortcuts for all users are gone”. I guess the answer to the earlier question is “yes”.

What a story.