Hackers steal iCloud photos through calendar invites — no clicks required

Even Apple’s Calendar app can be vulnerable



A security researcher has detailed an old hack in macOS that gave hackers full access to a user’s iCloud, needing only a calendar invite to succeed.

In 2022, security researcher Mikko Kenttala discovered a zero-click vulnerability within macOS Calendar that could allow attackers to add or delete files in the Calendar sandbox environment. The vulnerability allowed attackers to execute malicious code and access sensitive data stored on the victim’s device, including iCloud Photos.

The exploit starts with the attacker sending a calendar invite containing a malicious file attachment. The filename isn’t properly sanitized, which allows the attacker to perform a “directory traversal” attack, meaning they can manipulate the file’s path and place it in unintended locations.

The vulnerability (CVE-2022-46723) lets attackers overwrite or delete files within the Calendar app’s filesystem. For example, if the attacker sends a file named “FILENAME=../../../malicious_file.txt,” it will be placed outside its intended directory in a more dangerous location in the user’s filesystem.

Attackers could further escalate the attack by using the arbitrary file write vulnerability. They could inject malicious calendar files designed to execute code when macOS is upgraded, particularly from Monterey to Ventura.

Flowchart detailing how an arbitrary file write vulnerability can lead to unauthorized access to iCloud Photos through various injection methods and SMB-mounting a malicious application.

The full exploit chain

These files included events with alert functionalities that triggered when the system processed calendar data. Injected files would contain code to automatically launch files like .dmg images and .url shortcuts, eventually leading to remote code execution (RCE).

Eventually, the attacker could completely take over the Mac without the user’s knowledge or interaction.

Fortunately, the hack isn’t new. Apple patched it over several updates from October 2022 to September 2023. These fixes involved tightening file permissions within the Calendar app and adding additional security layers to prevent the directory traversal exploit.

How to stay safe from zero-click attacks

To stay safe from zero-click vulnerabilities like the one discovered in macOS Calendar, it’s crucial to follow a few protective measures. First and foremost, always keep your software up to date.

Apple frequently releases patches that address security flaws, and enabling automatic updates ensures you’ll get critical fixes. Finally, strengthen your device’s security settings by restricting apps’ access to sensitive data, such as your calendar, photos, and files.

Related Posts

Analyst predicts lower demand for iPhone 16 Pro and Pro Max models

The iPhone 16 and iPhone 16 Plus appear to be the top sellers for the debut weekend. Basing his analysis on slipping ship times from Apple’s ordering…

iOS 18 tool assists DIY repairs with easy parts configuration

An Apple Authorized Service Provider repairing an iPhone. Repair Assistant is coming in iOS 18 to handle the proper configuration of new or used Apple parts —…

Newest models see 20 percent spike in out-of-warranty battery costs

The new metal casing for the iPhone 16 Pro batteries could increase servicing costs. [X/KosumiSan] Apple is significantly increasing prices for out-of-warranty battery replacements, this time for…

North Carolina businessman sentenced to 68 months for iPhone theft scheme

Man in handcuffs (Source: Pixabay) In the latest Apple crime roundup, the owner of a North Carolina cell phone store has been sentenced to more than five…

Two discovered Steve Jobs autographs to feature in new auction

Rare Apple items for auction, autographed by Steve Jobs. Another signed Apple Computer Company check, along with a cassette tape autographed by Apple co-founder Steve Jobs, are…

Apple prepares for iPadOS apps on EU alternative app stores

European iPad owners will be able to download iPadOS apps from third-party app storefronts, starting September 16. In the European Union, iPhone users can purchase and download…

Leave a Reply

Your email address will not be published. Required fields are marked *