{"id":1162269,"date":"2024-02-23T06:21:40","date_gmt":"2024-02-23T08:21:40","guid":{"rendered":"https:\/\/teknomers.com\/fr\/des-chercheurs-detaillent-la-recente-vulnerabilite-des-raccourcis-zero-clic-dapple\/"},"modified":"2024-02-23T06:21:45","modified_gmt":"2024-02-23T08:21:45","slug":"des-chercheurs-detaillent-la-recente-vulnerabilite-des-raccourcis-zero-clic-dapple","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/des-chercheurs-detaillent-la-recente-vulnerabilite-des-raccourcis-zero-clic-dapple\/","title":{"rendered":"Des chercheurs d\u00e9taillent la r\u00e9cente vuln\u00e9rabilit\u00e9 des raccourcis z\u00e9ro clic d&#8217;Apple"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">23 f\u00e9vrier 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Confidentialit\u00e9 des donn\u00e9es \/ S\u00e9curit\u00e9 iOS<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/02\/Des-chercheurs-detaillent-la-recente-vulnerabilite-des-raccourcis-zero-clic.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Des d\u00e9tails ont \u00e9t\u00e9 r\u00e9v\u00e9l\u00e9s sur une faille de s\u00e9curit\u00e9 de haute gravit\u00e9 d\u00e9sormais corrig\u00e9e dans l&#8217;application Raccourcis d&#8217;Apple, qui pourrait permettre \u00e0 un raccourci d&#8217;acc\u00e9der \u00e0 des informations sensibles sur l&#8217;appareil sans le consentement des utilisateurs.<\/p>\n<p>La vuln\u00e9rabilit\u00e9, suivie comme <a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-23204\" target=\"_blank\">CVE-2024-23204<\/a> (score CVSS : 7,5), a \u00e9t\u00e9 r\u00e9solu par Apple le 22 janvier 2024, avec la sortie de <a rel=\"nofollow noopener\" href=\"https:\/\/support.apple.com\/en-us\/HT214059\" target=\"_blank\">iOS 17.3, iPadOS 17.3<\/a>, <a rel=\"nofollow noopener\" href=\"https:\/\/support.apple.com\/en-us\/HT214061\" target=\"_blank\">macOS Sonoma 14.3<\/a>et <a rel=\"nofollow noopener\" href=\"https:\/\/support.apple.com\/en-us\/HT214060\" target=\"_blank\">montreOS 10.3<\/a>.<\/p>\n<p>&#8220;Un raccourci peut permettre d&#8217;utiliser des donn\u00e9es sensibles avec certaines actions sans que l&#8217;utilisateur n&#8217;en soit inform\u00e9&#8221;, a d\u00e9clar\u00e9 le fabricant de l&#8217;iPhone dans un avis, pr\u00e9cisant que le probl\u00e8me avait \u00e9t\u00e9 corrig\u00e9 par &#8220;des v\u00e9rifications d&#8217;autorisations suppl\u00e9mentaires&#8221;.<\/p>\n<div class=\"check_two clear bobbob\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thehackernews.uk\/delinea728\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/02\/1708012425_568_Les-pirates-informatiques-russes-de-Turla-ciblent-les-ONG-polonaises.jpg\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Les raccourcis Apple sont un <a rel=\"nofollow noopener\" href=\"https:\/\/support.apple.com\/en-us\/guide\/shortcuts\/welcome\/ios\" target=\"_blank\">application de script<\/a> qui permet aux utilisateurs de cr\u00e9er des flux de travail personnalis\u00e9s (alias macros) pour <a rel=\"nofollow noopener\" href=\"https:\/\/thenextweb.com\/news\/how-to-create-a-simple-rss-feed-reader-on-ios\" target=\"_blank\">ex\u00e9cution<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/thenextweb.com\/news\/how-to-grab-beautiful-free-wallpapers-for-your-iphone-or-ipad-with-a-quick-shortcut\" target=\"_blank\">t\u00e2ches sp\u00e9cifiques<\/a> sur leurs appareils.  Il est install\u00e9 par d\u00e9faut sur les syst\u00e8mes d&#8217;exploitation iOS, iPadOS, macOS et watchOS.<\/p>\n<p>Jubaer Alnazi Jabin, chercheur en s\u00e9curit\u00e9 chez Bitdefender, qui a d\u00e9couvert et signal\u00e9 le bug des raccourcis, a d\u00e9clar\u00e9 qu&#8217;il pourrait \u00eatre utilis\u00e9 pour cr\u00e9er un raccourci malveillant de mani\u00e8re \u00e0 contourner la transparence, le consentement et le contr\u00f4le (<a rel=\"nofollow noopener\" href=\"https:\/\/www.sentinelone.com\/labs\/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design\/\" target=\"_blank\">CTC<\/a>) Strat\u00e9gies.<\/p>\n<p><iframe loading=\"lazy\" title=\"CVE-2024-23204 in action\" width=\"640\" height=\"480\" src=\"https:\/\/www.youtube.com\/embed\/eXoyFR42nXE?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>TCC est un cadre de s\u00e9curit\u00e9 Apple con\u00e7u pour prot\u00e9ger les donn\u00e9es des utilisateurs contre tout acc\u00e8s non autoris\u00e9 sans demander les autorisations appropri\u00e9es au pr\u00e9alable.<\/p>\n<p>Plus pr\u00e9cis\u00e9ment, la faille est enracin\u00e9e dans une action de raccourci appel\u00e9e \u00ab\u00a0D\u00e9velopper l&#8217;URL\u00a0\u00bb, qui est capable d&#8217;\u00e9tendre et de nettoyer les URL qui ont \u00e9t\u00e9 raccourcies \u00e0 l&#8217;aide d&#8217;un service de raccourcissement d&#8217;URL comme t.co ou bit.ly, tout en supprimant \u00e9galement <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/UTM_parameters\" target=\"_blank\">Param\u00e8tres de suivi UTM<\/a>.<\/p>\n<p>&#8220;En exploitant cette fonctionnalit\u00e9, il est devenu possible de transmettre les donn\u00e9es d&#8217;une photo cod\u00e9es en Base64 \u00e0 un site Web malveillant&#8221;, Alnazi Jabin <a rel=\"nofollow noopener\" href=\"https:\/\/www.bitdefender.com\/blog\/labs\/details-on-apples-shortcuts-vulnerability-a-deep-dive-into-cve-2024-23204\/\" target=\"_blank\">expliqu\u00e9<\/a>.<\/p>\n<div class=\"check_two clear bobbob\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thehackernews.uk\/tcepdHrZ\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/02\/Le-logiciel-malveillant-Bumblebee-revient-avec-de-nouvelles-astuces-ciblant.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>&#8220;La m\u00e9thode consiste \u00e0 s\u00e9lectionner toutes les donn\u00e9es sensibles (photos, contacts, fichiers et donn\u00e9es du presse-papiers) dans les raccourcis, \u00e0 les importer, \u00e0 les convertir \u00e0 l&#8217;aide de l&#8217;option d&#8217;encodage base64 et, finalement, \u00e0 les transmettre au serveur malveillant.&#8221;<\/p>\n<p>Les donn\u00e9es exfiltr\u00e9es sont ensuite captur\u00e9es et enregistr\u00e9es sous forme d&#8217;image du c\u00f4t\u00e9 de l&#8217;attaquant \u00e0 l&#8217;aide d&#8217;une application Flask, ouvrant la voie \u00e0 une exploitation ult\u00e9rieure.<\/p>\n<p>&#8220;Les raccourcis peuvent \u00eatre export\u00e9s et partag\u00e9s entre les utilisateurs, une pratique courante dans la communaut\u00e9 des raccourcis&#8221;, a d\u00e9clar\u00e9 le chercheur.  &#8220;Ce m\u00e9canisme de partage \u00e9tend la port\u00e9e potentielle de la vuln\u00e9rabilit\u00e9, car les utilisateurs importent sans le savoir des raccourcis susceptibles d&#8217;exploiter CVE-2024-23204.&#8221;<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/02\/researchers-detail-apples-recent-zero.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80223 f\u00e9vrier 2024\ue804R\u00e9dactionConfidentialit\u00e9 des donn\u00e9es \/ S\u00e9curit\u00e9 iOS Des d\u00e9tails ont \u00e9t\u00e9 r\u00e9v\u00e9l\u00e9s sur une faille de s\u00e9curit\u00e9 de haute gravit\u00e9 d\u00e9sormais corrig\u00e9e dans l&#8217;application Raccourcis d&#8217;Apple, qui pourrait permettre \u00e0 un raccourci d&#8217;acc\u00e9der \u00e0 des informations sensibles sur l&#8217;appareil sans le consentement des utilisateurs. La vuln\u00e9rabilit\u00e9, suivie comme CVE-2024-23204 (score CVSS : 7,5), a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1162271,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,12848,17155,4168,4165,4161,200267,7577,133,38951,4159,4171,200271,200268,200269,200270,47953,27730,128318,4172,4169,4166,3667,4164,7318],"class_list":["post-1162269","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-chercheurs","tag-clic","tag-comment-pirater","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-dapple","tag-des","tag-detaillent","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-mises-a-jour-sur-la-cybersecurite","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-raccourcis","tag-recente","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle","tag-zero"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1162269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1162269"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1162269\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1162271"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1162269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1162269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1162269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}