CloudKit Share Records leak the title of private iCloud files

Summary:

CloudKit Share Records of all iCloud documents/files leak the document’s/file’s title via the records/resolve API call, even when Who can access is set to Only people you invite. This issue affects iCloud documents/files of all type, including Pages, Number, Keynote, and files in iCloud Drive.

Core Issue:

When a document/file is shared with a specific email address and Who can access is set to Only people you invite, a CloudKit Share Record get’s created. The link generated by the frontend looks like this: https://www.icloud.com/[product]/[ShortGUID]#[document-title]. Storing the title in the hash implies that the title should be inaccessible to a yet-logged-in user, hence transported in the URL’s hash segment. But even as an unauthenticated user, querying the records/resolve CloudKit endpoint with the file’s ShortGUID, the title is returned in the share -> fields -> cloudkit.title field.

Other privacy sensitive data is returned in the same unauthenticated response, such as the owner of the document. This behaviour could as well be debated. Other similar providers like Google Drive don’t expose the owner of a file if the requestor has no access to the document.

Impact:

If an iCloud file is shared with at least one entity & the attacker knows the file’s ShortGUID, the attacker can query the file’s title without having any access to the document. Knowing a file’s ShortGUID is not a privileged position, and it should only provide access to the tile if the file’s Who can access is set to Anyone with the link.

Steps to reproduce:

1. Log in to iCloud and visit https://www.icloud.com/pages/
2. Create a new document, and set a custom title. Make some changes to the file to trigger a save.
3. Share the file with a specific email address, and make sure Share Options -> Who can access is set to Only people you invite.
4. Extract the ShortGUID from the generated link.
5. Replace ShortGUID_From_Step_4 in the body of this HTTP request, and send it.

POST /database/1/com.apple.cloudkit/production/public/records/resolve HTTP/1.1
Host: ckdatabasews.icloud.com
Content-Length: 56

{"shortGUIDs":[{"value":"[ShortGUID_From_Step_4]"}]}

6. See that the file’s current title is returned in response to this unauthenticated request.

[Disclosure Warning]:

This issue is subject to a 90 day disclosure deadline. On 2022-03-06 this issue will be publicly disclosed. If you would like to redact additional information or if for some reason the issue can’t be fixed until the deadline, let me know.

Discussion:

Vendor - 2021-12-06

Hello,

Thank you for sharing this report with us.

You should have already received our automated response message. I have reviewed your report, and we are investigating.

Because of the potentially sensitive nature of security issues, we ask that this information remain between you and Apple while we investigate it further.

We don’t automatically provide status updates on issues as we work on them. We will reach out if we have any questions or need additional details. Please include the Follow-up: number when requesting updates. Including this Follow-up: number allows us to rapidly associate it with your original report.

Thank you again for taking the time to share this report with us.

Best regards,
[redacted]
Apple Product Security

Vendor - 2021-12-11

Hello,

In order to help us reproduce and investigate this issue, we will need some additional details. Do you have a proof-of-concept or other example file that reproduces the issue? If so, we would appreciate it if you could send that along to us.

Best regards,
[redacted]
Apple Product Security

Me - 2021-12-13

Hi,

I have recorded a proof of concept video of the issue: https://youtu.be/hViPqrHzyIs

As you can see, the final manually sent unauthenticated HTTP request with the ShortGUID exposes the title of the document, even though the document’s Who can access setting is set to Only people you invite.

Thank you,
David

Vendor - 2021-12-13

Hello David,

Thank you for the additional information. The information you’ve provided will be helpful in our efforts to determine the cause of the issue you reported.

We appreciate your assistance in improving the security of our products.

Best regards,
[redacted]
Apple Product Security

Vendor - 2022-01-21

Hello David,

Please treat the following information as confidential.

The issue you reported will be partially addressed in a spring 2022 security update. We are still investigating ways to fully address the remaining issues. This is tentatively planned for fall 2022. We ask you to refrain from publishing the details of your report until it is addressed in all platforms and the CVE is published on our security advisory.

Best regards,
[redacted]
Apple Product Security

Vendor - 2022-02-09

Hello David,

Please treat the following information as confidential.

After further review it was found that more changes were needed to address the issues. This report now will be fully addressed in a fall 2022 security update. We ask you to refrain from publishing the details of your report until it is addressed in all platforms and the CVE is published on our security advisory.

Best regards,
[redacted]
Apple Product Security

Vendor - 2022-02-28

Hello David,

Please treat the following information as confidential.

We would like to provide you with a status update for this report.

We anticipate this issue to be fully addressed in the next few weeks. To ensure adequate testing of the changes we have made, we are requesting a 30 day extension to your disclosure plans. The updated disclosure date for this report would instead be March 28, 2022.

Are you willing to withhold disclosure of this report until it has been addressed on all platforms and the CVE is published on our security advisory?

Best regards,
[redacted]
Apple Product Security

Me - 2022-02-28

Hello [redacted],

Thank you for reaching out, I appreciate it. Yes, I am OK with extending the disclosure date by 30 days.

The new disclosure date is Tuesday, 5 April 2022, or once the fix & CVE has been published. Whichever comes first.

Thanks,
David

Vendor - 2022-03-01

Hello David,

Thank you for confirming the new disclosure date. We appreciate your patience while we address this issue.

Best regards,
[redacted]
Apple Product Security

Me - 2022-03-26

Hello,

I just tested the issue and it looks fixed, seemingly even for previously generated share items.

I have a few final questions regarding this bug:

• Has a CVE been issued for this bug?
• Does this bug qualify for Apple Security Bounty?

Thank you,
David

Vendor - 2022-03-28

Hello David,

Thank you for confirming you are no longer able to reproduce this issue.

A CVE will be assigned to this issue shortly - we will follow up with those details soon.

Regarding ASB, this issue is currently undergoing evaluation for an Apple Security Bounty. If applicable, we will reach out to you regarding the next steps.

Thank you again for sending us this report. We look forward to any you may send our way in the future.

Best regards,
[redacted]
Apple Product Security