A clever vulnerability was found in Apple’s operating systems (iOS, iPadOS, and macOS) in 2022. Tracked as CVE-2022-32938, this bug let attackers use Shortcuts—a built-in app—to poke around and see if *any* file or directory exists on your device. Apple patched this in iOS 16.1, iPadOS 16, and macOS Ventura 13. In this article, we’ll break down the bug, see some code, and understand how big a deal it was in simple terms.
In Apple’s words
> A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13. A shortcut may be able to check the existence of an arbitrary path on the file system.
In plain English:
Shortcuts (Apple’s automation app) failed to properly check directory paths. This meant a Shortcut could try to look up any path—like /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb—and get a “yes” or “no” answer about whether it exists. Normally, apps should not be able to query files or folders outside their sandbox.
Even just knowing whether a file exists is a risk
- Attackers could check if you have certain apps/data.
The Shortcuts app, using a flawed parser, checks the file system.
3. It reports back whether or not that file exists (even though it’s outside what a shortcut should reach).
The Shortcut can do this for any path—completely violating sandbox rules.
### Example Code/Snippet
With the Shortcuts app, attackers could use the "Get File" or "Find" actions. Here’s a Python-like simulation (since Shortcuts is graphical, but the logic is the same):
import os
# Maliciously try to see if a sensitive file exists
sensitive_path = "/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb"
if os.path.exists(sensitive_path):
print("Sensitive file exists!")
else:
print("Sensitive file not found.")
With the real exploit, the Shortcut could store the answer and upload or display it.
You could set up a Shortcut like
- “Get File” at /private/var/mobile/Library/SMS/sms.db
What's the Patch?
Apple fixed CVE-2022-32938 by enforcing better validation of paths in Shortcuts. Now, Shortcuts is properly sandboxed; it cannot step out and check arbitrary files.
This fix landed in
- iOS 16.1 & iPadOS 16 Release Notes
- macOS Ventura 13 Release Notes
Here’s what an “exploit” could look like, in plain Shortcuts steps
1. Add a "Get File" action, set to a specific path (ex: /private/var/mobile/Library/Notes/).
Run the Shortcut. The existence of a system file is now exposed.
No extra permissions needed—this is what made it so dangerous!
Timeline
- Reported: Sometime in 2022 (the official Apple security notes do not say exactly who found it).
- Patched: iOS 16.1 / iPadOS 16 (released Oct 2022), macOS Ventura 13.
Original References
- Apple Security Release Notes for iOS 16.1 and iPadOS 16
- macOS Ventura 13 Security Release Notes
- NIST National Vulnerability Database: CVE-2022-32938
Conclusion
CVE-2022-32938 may sound technical, but it’s all about curiosity—finding out whether a file is there or not, when you shouldn’t be able to. Apple’s fix restored the boundaries, keeping apps like Shortcuts in their sandbox, and keeping your files private.
Upgrade your devices! If you’re not on iOS/iPadOS 16.1 or macOS Ventura 13 or later, you’re vulnerable.
*Questions or experiences with this or similar Apple security issues? Share your thoughts below!*
Timeline
Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/02/2022 17:21:00 UTC