One day in the spring, all links to Apple’s Shortcuts suddenly stopped working, which attracted the attention of several news sites. The cause was thought to be a bug or an internal mistake, but now it turns out that it was Swedish hacker and security researcher Frans Rosén who accidentally deleted all the content in a database.
Rosén explains in a blog post how he discovered several security flaws in iCloud’s database management. Among other things, Apple had made it possible for anyone to add and delete content in a number of databases belonging to various iCloud services.
First, he found a bug in something called iCrowd+ that appears to be related to Siri development. Then he moved on to Apple News and discovered that it was possible to delete content in the service (something he tested on his own News account). Had someone with malicious intent made this discovery, it would have been possible to temporarily empty Apple News of all content.
But it was when he was testing on the Shortcuts database that things went wrong. After testing various things and detecting no security risks, he double-checked by sending a request to delete the default zone. Soon after, all Shortcuts links stopped working, and Frans Rosén contacted Apple to explain what had happened.
Apple fixed all the discovered bugs, and after a few days, Shortcuts sharing was restored. The company did a more thorough review of all its databases to make sure there were no similar problems elsewhere, and paid Frans Rosén a total of $64,000 (roughly £46,000) in rewards for the discoveries.
This article originally appeared on Macworld Sweden. Translation (using DeepL) by David Price.