CloudKit is an Apple framework integrated into iOS and macOS that works as a backend for apps. Developer Frans Rosén has found a way to use Apple’s cloud platform to delete public Siri Shortcuts and even content from other Apple apps such as Apple News.
Rosén began searching for exploits on Apple’s platforms in February of this year. He started checking the traffic of all Apple apps and studying CloudKit in depth. While you always need credentials to read and write private content, the developer found out that public content shared in iCloud can be accessed by anyone with public tokens.
By checking the connections of Apple’s apps with the CloudKit API, Rosén was able to get a valid token to access public content from iCloud. Of course, the actual process was far more complex than it sounds, but the result could be disastrous for Apple if this exploit fell into the wrong hands.
After multiple commands, the developer was able to delete the links to all public Apple News articles.
I spent way too much time on this, almost two days straight, but as soon as I found methods I could use, modification of records in the Public scope still needed authorization for my user, and I was never able to figure out how to generate a X-CloudKit-AuthToken for the proper scope, since I was mainly interested in the Private scope.
Using a similar method, he was also able to break all public links to Siri Shortcuts shared by users. Apple confirmed this on March 25 without saying that it was a security exploit.
Rosén reached out to the Apple Security team, which later fixed the security breach.
If you want to read more in-depth details about the exploit, the developer shared how the attack was done on the Detectify blog.
Approaching CloudKit for bugs turned out to be a lot of fun, a bit scary, and a really good example of what a real deep-dive into one technology can result in when hunting bugs. The Apple Security team was incredibly helpful and professional throughout the process of reporting these issues.