Frans Rosén published an article describing access control flaws in CloudKit which allowed him to delete Shortcuts of other users.

Article contains in-depth analysis of the flaw and also provides good overview of CloudKit design.

Detectify: Hacking CloudKit – How I accidentally deleted your Apple Shortcuts

Reference: Exploit found in CloudKit let developer delete other users’ Shortcuts

Recommendations

Developer:

Review the CloudKit architecture design.

QA engineer:

Consider using some of the approaches for testing purposes.

PM/DM:

Business as usual.

Leave a comment