Frans Rosén published an article describing access control flaws in CloudKit which allowed him to delete Shortcuts of other users.

Article contains in-depth analysis of the flaw and also provides good overview of CloudKit design.

Detectify: Hacking CloudKit – How I accidentally deleted your Apple Shortcuts

Reference: Exploit found in CloudKit let developer delete other users’ Shortcuts



Review the CloudKit architecture design.

QA engineer:

Consider using some of the approaches for testing purposes.


Business as usual.

Leave a comment

Leave a Reply