CVE-2024-23245 in macOS
Summary
by MITRE • 03/08/2024
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/03/2026
This vulnerability represents a significant security gap in macOS automation frameworks that allowed unauthorized application interactions through legacy Automator actions. The flaw specifically affected the consent mechanisms within the operating system's user interface automation capabilities, where third-party shortcuts could exploit deprecated functionality to send events to applications without proper user acknowledgment. The issue stems from the persistence of legacy action implementations that bypassed modern security protocols designed to prevent unauthorized system interactions. This vulnerability impacts the fundamental principle of user consent in macOS security architecture, where users should explicitly authorize any automation actions that could potentially affect system behavior or application states. The problem particularly affected the integration between third-party shortcut applications and the underlying macOS automation infrastructure, creating potential attack vectors for malicious actors to execute unauthorized actions.
The technical implementation of this vulnerability leveraged legacy Automator actions that maintained backward compatibility with older macOS versions while failing to enforce current user consent requirements. These legacy actions operated outside the standard security boundaries that typically govern application interactions, allowing shortcuts to directly send events to target applications without prompting user confirmation. The flaw essentially created a pathway where automation workflows could execute commands or send inputs to applications without the user being aware of or explicitly approving such actions. This bypass mechanism operated at the system level within the automation framework, where the underlying event sending mechanisms were not properly validated against current consent policies. The vulnerability's root cause aligns with CWE-693, which addresses protection mechanism failures in security systems, and demonstrates how legacy code implementations can create persistent security weaknesses even after main security features have been updated.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential system compromise and unauthorized application manipulation. Attackers could potentially exploit this weakness to execute malicious automation workflows that perform actions such as sending keystrokes to password fields, triggering application functions that could lead to data exfiltration, or manipulating application states without user knowledge. The threat landscape for this vulnerability includes both automated malware campaigns and targeted attacks where adversaries could craft malicious shortcuts to exploit the consent bypass mechanism. This vulnerability particularly affects users who rely heavily on third-party automation tools and shortcuts, as these applications often depend on legacy functionality that may not have been updated to comply with current security standards. The impact is amplified by the fact that these legacy actions were designed for compatibility rather than security, making them attractive targets for exploitation. Organizations and individuals using macOS automation frameworks should consider the potential for unauthorized actions being performed through seemingly benign third-party applications.
The remediation approach for this vulnerability involved implementing additional user consent prompts that specifically target the problematic legacy Automator actions. Apple's response included updates to macOS versions 12.7.4, 13.6.5, and 14.4, which introduced enhanced validation mechanisms for automation actions and required explicit user confirmation before allowing event sending operations. This update aligns with the ATT&CK framework's T1059.001 technique for command and scripting interpreter, as it addresses the execution of automation commands through modified user consent mechanisms. The implementation required modifications to the automation framework's event handling logic to ensure that all application interactions require explicit user approval, particularly when legacy actions are involved. System administrators should ensure that all macOS installations are updated to the patched versions to eliminate this vulnerability. The solution demonstrates the importance of maintaining security controls even in legacy system components and highlights the need for continuous security auditing of backward compatibility features. Users should be educated about the importance of reviewing application permissions and understanding the automation capabilities they grant to third-party applications. The vulnerability serves as a reminder that security updates must address not only new threats but also the persistent risks introduced by legacy code implementations that may not have been properly secured against evolving attack vectors.