Swedish hackers found serious errors in Icloud – deleted all Shortcut links

One day this spring, all the links to Apple’s Shortcuts suddenly stopped working, which was noticed by several news sites. The cause was thought to be a bug or an internal mistake, but now it turns out that it was the Swedish hacker and security researcher Frans Rosén who accidentally deleted all content in a database.

Frans Rosén writes in one blog posts about how he discovered several security flaws in ICloud’s database management. Among other things, Apple had made it possible for anyone to add and remove content in a number of databases belonging to various Icloud services.

First, he found a bug in something called Icrowd + and seems to have something to do with Siri development. Then he went on to Apple News and discovered that it was possible to delete content in the service (something he tested through on his own News account). Had someone maliciously made the discovery, it would have been possible to temporarily empty the entire Apple News of content.

But it was when he was going to test the database for Shortcuts that it went wrong. After testing various things that did not lead to any discoveries of actual security risks, he double-checked by sending a request to delete the default zone. Nothing else had worked, but that was it.

Shortly afterwards, all shortcut links stopped working, and Frans Rosén contacted Apple to explain what had happened.

Apple fixed all detected bugs, and after a few days, shortcut sharing was restored. The company made a more thorough review of all its databases to ensure that no similar problems existed elsewhere, and paid Frans Rosén a total of approximately SEK 550,000 in reward for the discoveries.