{"id":85486,"date":"2019-02-01T05:38:59","date_gmt":"2019-02-01T13:38:59","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=85486"},"modified":"2021-06-28T02:47:07","modified_gmt":"2021-06-28T09:47:07","slug":"are-ios-shortcuts-safe-reports-of-risks-surface","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/","title":{"rendered":"Are iOS Shortcuts safe? Reports of risks surface"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-85603\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Siri-Shortcuts-vulnerabilities-and-risks-600x300.png\" alt=\"\" width=\"600\" height=\"300\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Siri-Shortcuts-vulnerabilities-and-risks-600x300.png 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Siri-Shortcuts-vulnerabilities-and-risks-600x300-150x75.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Siri-Shortcuts-vulnerabilities-and-risks-600x300-300x150.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p><strong>UPDATE 2:<\/strong> Apple has <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-patches-group-facetime-shortcuts-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">released a new version of Shortcuts<\/a> to address these bugs; check the App Store for the update.<\/p>\n<p>Reports have surfaced recently that warn of apparent vulnerabilities in <a href=\"https:\/\/www.intego.com\/mac-security-blog\/use-ios-shortcuts-to-automate-tasks-on-your-iphone-or-ipad\/\" target=\"_blank\" rel=\"noopener\">Shortcuts, a new app and feature introduced in iOS 12<\/a>\u00a0that lets users create a custom series of automated tasks.<\/p>\n<p>The reports began surfacing on January 19, when a developer tweeted the following: (<strong>UPDATE 1:<\/strong> The Twitter account has since changed to a protected status, so the tweets&#8217; screenshots are no longer visible to the public.)<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Shortcuts can even read files protected by the sandbox, by using a path traversal vulnerability incombination with insufficient sandboxing on folders. <a href=\"https:\/\/t.co\/fOQuTfheGv\">pic.twitter.com\/fOQuTfheGv<\/a><\/p>\n<p>&mdash; UKERN Soft\u20a9\u0430re (@userlandkernel) <a href=\"https:\/\/twitter.com\/userlandkernel\/status\/1086828169976528897?ref_src=twsrc%5Etfw\">January 20, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The developer also claimed to be able to view the folder that contains the SMS text message database files:<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">Works! <a href=\"https:\/\/t.co\/VoSCHTZQNh\">pic.twitter.com\/VoSCHTZQNh<\/a><\/p>\n<p>\u2014 UKERN Soft\u20a9\u0430re (@userlandkernel) <a href=\"https:\/\/twitter.com\/userlandkernel\/status\/1086832505121058816?ref_src=twsrc%5Etfw\">January 20, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The tweets went almost entirely unnoticed by the Apple-focused press, having only been mentioned in a <a href=\"https:\/\/www.heise.de\/mac-and-i\/meldung\/Apples-Kurzbefehle-App-Shortcuts-koennen-geschuetzte-iPhone-Dateien-abgreifen-4283745.html\" target=\"_blank\" rel=\"noopener\">brief article on the German-language site Heise<\/a>\u00a0a day later.<\/p>\n<p>A week after the tweets were posted, other developers began posting to the Reddit community \/r\/Shortcuts about their own follow-up investigations, warning of the same significant risks in the way Shortcuts behaves.<\/p>\n<p>One of the Reddit threads makes <a href=\"https:\/\/www.reddit.com\/r\/shortcuts\/comments\/ak8jl2\/quick_warning_to_everyone\/\" target=\"_blank\" rel=\"noopener\">further claims about a sandbox escape<\/a> (essentially meaning that shortcuts can do things they shouldn&#8217;t be permitted to do) that allows &#8220;certain parts of the filesystem [to be] writable&#8221; by way of a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Directory_traversal_attack\" target=\"_blank\" rel=\"noopener\">directory traversal attack<\/a>, enabling the creation of numerous large files that can fill up the iOS device&#8217;s System storage to capacity. The same redditor claims that while testing this attack, his iPhone began to overheat.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Follow up, still going, phone is overheating as well <a href=\"https:\/\/t.co\/wWLZLnFinA\">pic.twitter.com\/wWLZLnFinA<\/a><\/p>\n<p>&mdash; Ashton (@Alphalaneous) <a href=\"https:\/\/twitter.com\/Alphalaneous\/status\/1089369697664016384?ref_src=twsrc%5Etfw\">January 27, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This could be described as a type of\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Denial-of-service_attack\" target=\"_blank\" rel=\"noopener\">denial-of-service attack<\/a>\u00a0(DoS), since over-full storage and overheating can each cause an iOS device to stop functioning properly. Being able to create a DoS-causing shortcut is bad enough, but the following day another redditor described a more worrisome attack.<\/p>\n<p>A separate thread warned that &#8220;<a href=\"https:\/\/www.reddit.com\/r\/shortcuts\/comments\/akecdb\/be_very_cautious_about_what_shortcuts_you\/\" target=\"_blank\" rel=\"noopener\">Shortcuts is way more powerful than it should be<\/a>.&#8221; The redditor who started this thread claimed to have been &#8220;messing around with url schemes such as &#8216;file:\/\/&#8217; and &#8216;..\/&#8217;, when I came across the delete file action.&#8221; Allegedly, this developer was able to execute another\u00a0directory traversal attack\u00a0to <em>delete<\/em> \/System\/Library\/CoreServices\/prdaily, a behind-the-scenes system utility that iOS uses to clean user caches when a device begins to run low on available storage.<\/p>\n<p>Intego reached out to Apple&#8217;s product security and media teams on Monday to alert them of the issues and to request a comment<del>, but Apple has not yet responded<\/del>. (This is not terribly surprising given that Apple was just beginning to become aware of the <a href=\"https:\/\/www.intego.com\/mac-security-blog\/facetime-spying-bug-discovered-temporarily-worked-around\/\" target=\"_blank\" rel=\"noopener\">FaceTime spying bug<\/a>\u00a0around the same time.) Other news sources had not yet picked up on this story at the time of the publication of this article, but given that these details are already openly available for potential attackers to find and exploit, we felt it was important to make this public service announcement to Shortcuts users.\u00a0<strong>UPDATE 1:<\/strong> On February 6, an Apple Product Security representative finally responded to our request for comment, but only said, &#8220;We are already aware of these issues.&#8221; The representative did not offer any clarification about whether, or when, the issues would be fixed.<\/p>\n<h3>More research on the safety of Shortcuts<\/h3>\n<p>Coincidentally, two other stories broke this week about Shortcuts safety.<\/p>\n<p>On Wednesday, <a href=\"https:\/\/appleinsider.com\/articles\/19\/01\/30\/siri-shortcuts-can-be-used-to-steal-and-send-personal-data-developer-warns\" target=\"_blank\" rel=\"noopener\">AppleInsider wrote about a series of tweets<\/a> that a developer had posted a week earlier (referring to someone else&#8217;s research that perhaps, although not necessarily, may have been inspired by the first research described above).<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">From highly personal contacts, names you&#39;ve typed into iMessage, addresses, browsing history, app usage, file contents<\/p>\n<p>I&#39;d even loaded the entire text of Dickens&#39; David Copperfield into Codea recently to test editing performance. Names and places from the story were indexed \/2 <a href=\"https:\/\/t.co\/2bfIr9aqCS\">pic.twitter.com\/2bfIr9aqCS<\/a><\/p>\n<p>&mdash; Simeon (@twolivesleft) <a href=\"https:\/\/twitter.com\/twolivesleft\/status\/1088080309453676544?ref_src=twsrc%5Etfw\">January 23, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">You couldn&#39;t expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link to this shortcut<\/p>\n<p>With automatic scheduling of shortcuts (<a href=\"https:\/\/t.co\/S5l1M3Rjyx\">https:\/\/t.co\/S5l1M3Rjyx<\/a>) you could possibly trick someone into running a key logger \/4<\/p>\n<p>&mdash; Simeon (@twolivesleft) <a href=\"https:\/\/twitter.com\/twolivesleft\/status\/1088080315208200193?ref_src=twsrc%5Etfw\">January 23, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The developer was referring to a proof-of-concept (PoC) shortcut he had been shown that was capable of stealing data such as\u00a0&#8220;contacts, names you&#8217;ve typed into iMessage, addresses, browsing history, app usage, [and] file contents.&#8221; A week later, on the same day that the AppleInsider piece was published, the PoC was posted publicly online by its creator, who claimed that Apple does not view the PoC&#8217;s behavior as a bug, but rather &#8220;as intended behavior.&#8221; (Before anyone asks in the comments: No, we will not share a link to the PoC here, nor will we approve comments asking for, or containing, a link to it.)<\/p>\n<p>On Thursday, threat researchers at IBM <a href=\"https:\/\/www.eweek.com\/security\/ibm-warns-of-apple-siri-shortcut-scareware-risk\" target=\"_blank\" rel=\"noopener\">warned about another potential attack involving Shortcuts<\/a>, claiming that, (as reported by eWeek) &#8220;it is possible to use a Siri Shortcut [sic] for malicious purposes, including tricking a user into paying a fee to avoid having his or her information stolen in an attack known as scareware.&#8221; The IBM researchers said that they have not yet seen evidence of Shortcuts-based scareware attacks in the wild.<\/p>\n<h3>How to avoid Shortcuts-related attacks<\/h3>\n<p>Thankfully, iOS 12 doesn&#8217;t come with the new Shortcuts app preinstalled; users have to know about it and seek to <a href=\"https:\/\/itunes.apple.com\/us\/app\/shortcuts\/id915249334\" target=\"_blank\" rel=\"noopener\">download it from the App Store<\/a>. You could choose to avoid downloading the Shortcuts app if you don&#8217;t have it installed, or you could delete it if you&#8217;ve already downloaded it and you don&#8217;t plan to use it.<\/p>\n<p>If you decide to use Apple&#8217;s Shortcuts app, you will notice that the app includes a Gallery where you can find some suggested, Apple-curated shortcuts that should be safe to use. Where things get dicey, however, is with shortcuts sourced from a third party.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" class=\"aligncenter size-large wp-image-84019\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--1024x666.jpg\" alt=\"\" width=\"1024\" height=\"666\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--1024x666.jpg 1024w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--150x98.jpg 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--300x195.jpg 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--768x499.jpg 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--400x260.jpg 400w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26--657x427.jpg 657w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/11\/iOS-12-shortcuts-400x26-.jpg 1910w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>The Shortcuts app has a Gallery (bottom right) with a curated list.<\/p>\n<p>Apple has made Shortcuts uncharacteristically open to unauthorized developers and third-party distribution sites, making Shortcuts on iOS feel more akin to the Mac ecosystem. And while some third-party sites may curate and verify the safety of user-submitted shortcuts, other sites may not have the same standards, and still others could theoretically be designed to outright deceive you.<\/p>\n<p>The takeaway is that if you decide to use Shortcuts, be sure to stick with developing your own shortcuts or using ones that Apple has curated in its Gallery\u2014and if you really need to use a third-party shortcut for some reason, do your homework and try to make sure it&#8217;s safe first.<\/p>\n<p>&nbsp;<\/p>\n<h3>How can I learn more?<\/h3>\n<p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\" alt=\"\" width=\"80\"  class=\"alignleft\" \/><\/a>Each week on the <a href=\"https:\/\/podcast.intego.com\/\" target=\"_blank\" rel=\"noopener\"><strong>Intego Mac Podcast<\/strong><\/a>, Intego&#8217;s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\"><strong>follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n<p>You can also subscribe to our <strong>e-mail newsletter<\/strong> and keep an eye here on <a href=\"https:\/\/www.intego.com\/mac-security-blog\"><strong>Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don&#8217;t forget to follow Intego on your favorite social media channels: <a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>, <a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener noreferrer\">Instagram<\/a>, <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>, and <a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener noreferrer\">YouTube<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions. <\/p>\n","protected":false},"author":14,"featured_media":85618,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[11],"tags":[69,4186,4387],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Are iOS Shortcuts safe? Reports of risks surface - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2019-02-01T13:38:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-28T09:47:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png\",\"width\":400,\"height\":260,\"caption\":\"iOS 12 Shortcuts vulnerabilities and risks\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/\",\"name\":\"Are iOS Shortcuts safe? Reports of risks surface - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#primaryimage\"},\"datePublished\":\"2019-02-01T13:38:59+00:00\",\"dateModified\":\"2021-06-28T09:47:07+00:00\",\"description\":\"Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Are iOS Shortcuts safe? Reports of risks surface\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"Are iOS Shortcuts safe? Reports of risks surface\",\"datePublished\":\"2019-02-01T13:38:59+00:00\",\"dateModified\":\"2021-06-28T09:47:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#webpage\"},\"wordCount\":1099,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png\",\"keywords\":[\"iOS\",\"iOS 12\",\"iOS shortcuts\"],\"articleSection\":[\"Software &amp; Apps\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/","og_locale":"en_US","og_type":"article","og_title":"Are iOS Shortcuts safe? Reports of risks surface - The Mac Security Blog","og_description":"Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2019-02-01T13:38:59+00:00","article_modified_time":"2021-06-28T09:47:07+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png","width":400,"height":260,"caption":"iOS 12 Shortcuts vulnerabilities and risks"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/","name":"Are iOS Shortcuts safe? Reports of risks surface - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#primaryimage"},"datePublished":"2019-02-01T13:38:59+00:00","dateModified":"2021-06-28T09:47:07+00:00","description":"Shortcuts help you automate tasks on your iOS device, but there is a risk of them performing malicious actions.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Are iOS Shortcuts safe? Reports of risks surface"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"Are iOS Shortcuts safe? Reports of risks surface","datePublished":"2019-02-01T13:38:59+00:00","dateModified":"2021-06-28T09:47:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#webpage"},"wordCount":1099,"commentCount":1,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png","keywords":["iOS","iOS 12","iOS shortcuts"],"articleSection":["Software &amp; Apps"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/are-ios-shortcuts-safe-reports-of-risks-surface\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-12-Shortcuts-vulnerabilities-and-risks-400x260.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-meO","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/85486"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=85486"}],"version-history":[{"count":12,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/85486\/revisions"}],"predecessor-version":[{"id":94069,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/85486\/revisions\/94069"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/85618"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=85486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=85486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=85486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}