Filesystem folders accessible iOS 12 Bug via shortcuts
A simple directory traversal gap provides insight into otherwise protected directories that contain comprehensive information about the use of the device.
Like a Shortcuts can even read files protected by the sandbox, by using a path vulnerability in combination with insufficient sandboxing escalation on folders.
From what I have been able to replicate this iOS bug from the past few hours.
I’ve been unable to find a way to write to the files, but you are able to read and save all files located in these file paths
You shouldn’t access data from another app, which the sandbox prevents.
You can also just open a specific file inside for filesystem root folder
Shortcut to OPEN files on your device:
This vulnerability can be used to access or download files from any target device and send it to other devices.
That’s means you shouldn’t install any random shortcuts.
The “Create Folder” action stored in Apple’s shortcut app can be used to break out of the sandbox, explains the security researcher.
It is enough to move up in the directory structure
by a series of “../” commands in order to open
the desired directory—the sandbox obviously fails.
This video demonstrates in workflow how system files can be
read—in this case, harmless information about the iPhone system
files—and sent as a zip file via iMessage.
The security researcher writes that it is also possible to view the
SMS database, notes, usage information, and other analytics data.
532 total views, 2 views today