A IOS12 vulnerability allows workflows to access system files that should be isolated by the iOS sandbox. A simple directory traversal gap provides insight into otherwise protected directories that contain comprehensive information about the use of the device. Like a Shortcuts can even read files protected by the sandbox, by using a path vulnerability in combination with insufficient sandboxing escalation on folders.
From what I have been able to replicate this iOS bug from the past few hours. I’ve been unable to find a way to write to the files, but you are able to read and save all files located in these file paths.
iOS12 Bug Filesystem folders accessible by shortcuts
You shouldn’t access data from another app, which the sandbox prevents from. You can also just open a specific file inside for filesystem root folder
Shortcut to OPEN files on your device:
This vulnerability can be used to access or download files from any target device and send it to other device. That’s means you shouldn’t install any random shortcuts.
The “Create Folder” action stored in Apple’s shortcut app can be used to break out of the sandbox, explains the security researcher. It is enough to move up in the directory structure by a series of “../” commands in order to open the desired directory—the sandbox obviously fails. This video demonstrates in a workflow how system files can be read—in this case, harmless information about the iPhone system files—and sent as a zip file via iMessage. The security researcher writes that it is also possible to view the SMS database, notes, usage information, and other analytics data.