Three Apple CloudKit Vulnerabilities ($64000 USD)
Three bugs relating to insecurely configured CloudKit containers, the big one being the accidental deletion of all Apple Shortcuts, but also the ability to delete records on Apple News, and modify data used on the iCrowd+ website.
CloudKit Primer - For the uninitiated, CloudKit is a data storage framework from apple to take an apps data and store it in the cloud. Application developers can create a container, containers have environments with three scopes (Private, Shared, and Public). Public being accessible by anyone with a public API token. Each scope has zones, the default zone being _defaultZone
and finally, each zone has Records with Fields which have types and where the data is actually stored.
The author also found that there are atleast three different APIs that communicate with CloudKit in different ways. This becomes important as he switches between the API the application uses and one that is easier to communicate with at points.
iCrowd+ - The website was using the CloudKit API with the API-token provided in a javascript file. Using that same API token they were able to update the data it was fetching from CloudKit. For demonstrating replacing the version information displayed.
Apple News - Took a bit more effort to figure things out here because Apple News used the Protobuf API, ultimately using the API that Apple Notes uses (and changing the container) he was able to see that all News articles and stock information were in the public scope. While most of the methods were not allowed one method forceDelete
was, granting the ability to delete any News article or Stock.
Apple Shortcuts - This one caused some drama as the testing became destructive deleting all shared Apple Shortcuts. Essentially shared shortcuts would be moved into the Public envrionment in the _defaultZone
. The problem was that a public user could delete the defaultZone
.