What is “ShortcutsActions” and why is it accessing my contacts so much? I’ve never seen it in my privacy report before ? Anyone else have this in their privacy report?
[Edited by Moderator]
iPhone 16 Pro Max
Ruckles wrote:
Apple’s About App Privacy Report page details every app that accesses contact data. Shortcuts isn’t mentioned.
The mistake you are making is that you think ShortcutActions is an App and is the same thing as the Shortcut App. It is NOT. ShortcutActions operates under the App Intent Framework. These are "hooks" built into the apps to perform some function that can be called by another App or the System. Developers can create their own App Intents to perform a function by using Siri, add an action in the Shortcut App, or fetch some data from the app for use in a Widget.
App Intents | Apple Developer Documentation
In your screenshot of Messsages having access to your Contact Info, guess how it gets that information. If you said a ShortcutAction you would be correct. Messages is not launching the Shortcut App to get this information, it is using an App Intent built into the Contacts app to get it. You also cannot tell Messages that you do not want to give it access to your Contacts so you will not be preventing ShortcutActions from being used when Messages wants to know what name is associated with the number that just sent you a message.
Another thing you fail to realize is that even though the Shortcut app does not show that it has access to the Contacts in the Privacy Page, the Shortcut app can certainly be used to access Contacts. One of the publicly available actions to the Contacts app in the Shortcut app is called "Add New Contact", where it can take a First Name, Last Name, or Company Name as input and when run a new contact will be added to the Contacts app.
Carking2013 wrote:
That would make sense if I had the shortcuts app installed on my iPhone but I do not. I uninstalled that the second I got the phone. And I’ve had the phone for months. And according to my find my, my iPhone is the only phone connected to my iCloud account.
Judging by the white grid icon it did not uninstall properly. Tricky to finish the job without restoring the phone to factory.
They are completely secure. The sharing of information between Apple apps, on your phone, that never leave your iPhone, improves your user experience. Do you think your clock app has been hacked to steal your media files?
The completely internal apps that share data are not a security risk. Security risks are having weak or shared passwords, not having 2 factor authentication for your Apple accounts and other sites you visit, using sketchy VPN services (and even some so-called “legitimate” ones), etc.
There is NO SECURITY ISSUE. The APPLE apps on your iPhone routinely exchange information in order to serve your needs and requests. The information never leaves your iPhone. No on can see it but you. Any other belief is a “conspiracy theory”.
Apple released iOS 18.5 on May 12.
The 18.5 security release notes explicitly credit ZUSO ART for identifying vulnerabilities in Shortcuts.
ZUSO ART (Advanced Research Team) is an authorized CVE Numbering Authority.
CVE refers to the Common Vulnerabilities and Exposures system, an internationally accepted methodology for identifying and cataloging cybersecurity vulnerabilities.
Numbering Authorities verify these vulnerabilities, and are certified to do so by the Department of Homeland Security, amongst others.
Security exploits addressed in 18.5 include arbitrary code execution and access to sensitive data, amongst many others.
This isn’t speculation; it’s directly from Apple, which makes your steadfast denials so galling.
It’s also not Shortcut’s first vulnerability. For example, in 2024 Apple patched the app’s ability for hackers to access sensitive data without invoking user permissions.
I’m not saying everyone posting here (myself included) is the victim of a Shortcuts exploit, but it is arrogant, ignorant, and demonstrably false to suggest that no one is or could be.
[Edited by Moderator]
Did you read far enough to see that this was blocked in 18.4? And that it is not listed in 18.5? The CVE is always listed in the security report, so the fact that it IS listed in 18.4 as resolved, and not in 18.5 means that it was fixed 2 versions earlier. ZUZO was just belatedly given credit. Here is the full CVE (note that ZUZO was not given credit, probably an accidental omission):
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: A shortcut may be able to access files that are normally inaccessible to the Shortcuts app
Description: This issue was addressed with improved access restrictions.
CVE-2025-30433: Andrew James Gonzalez
And notice that it talks about Shortcuts being able to override FILE access restrictions, and, of course, only if Shortcuts has been hacked. And there are any never were any hacks of Shortcuts without jailbreaking the device.
Please read the thread you just added to.
Shortcuts is a built in app; it isn’t an app you download. It is used by many internal iOS functions, and you can also add your own shortcuts. To see the built in shortcuts used by iOS open the Shortcuts app. If you have Apple Intelligence enabled it will add shortcuts for things you do frequently.
If you are using the profile of the cell company you are subscribed to with your Apple email, temporarily deactivate it from your email settings. This has worked for me. And I can't determine if this is normal contact or something bad.
foxowl wrote:
so what’s the reason? Can anyone give an answer?
Anytime you receive a phone call, email, message, a ShortcutsAction will access your Contacts to provide the name in your Contacts instead of the phone number or email address. If there is no name associated, then the action will return nothing to replace the phone number or email address.
That is just one example. There are more, such as Notification from apps that you have given permission to access your Contacts.
Almost a 1hr call with Apple support they told me “it’s the phone app that uses this shortcut to your contacts to flag spam calls” so I asked if I get a call that is not in my contacts it will be automatically flagged as a spam call? They replied not necessarily and that they couldn’t give a real answer on that” Whiskey Tango Foxtrot
seriously.
Apple support
I would suspect a future software update will eliminate it completely from the Privacy Report, just like it did in the Screen Time report, and the Contacts access will be reported correctly under the Phone app. Every call you get will have to access Contacts to see if there is a name associated with the number, and if so, you will see that name instead. Not sure what they mean to flag spam calls and certainly a call that is not in your contacts will not be automatically flagged as spam. Maybe they are referring to the Silence Unknown Callers features to check if the caller is in your Contacts.
You raised a very good point. But yah Apple support what can I say. They really don’t know much. She did say she checked with an “engineer” so it’s how she interpreted it as flagged. I have noticed it gives time stamps when it accesses your contacts. I can confirm ShortcutsActions access contacts minutes before a call and when a call actually ringing. But only certain calls not all. Pretty weird. Then it continues randomly every hour or so.
As far as the shortcuts app, it’s just meant to go with an app so you can have a shortcut to it. Any app that you make a shortcut with will affect certain permissions so if you have a shortcut that is giving you quicker access to your contacts it’ll state the time that the shortcut app accessed your contacts. I am not by all means sure about what I just said at all on how much could be true, but To me that would make sense.
Ruckles wrote:
Today’s iOS 18.7 release includes a security fix for CVE-2025-43358, a vulnerability that allowed malicious shortcuts to bypass sandbox restrictions—meaning it could be exploited by malware to gain unauthorized access to sensitive data.
Probably a good idea to run the update.
Wise advice, however the shortcutsActions process under discussion is NOT malicious. You should not use this patch to suggest that it is.
if you have found a genuine security breach report it at
https://security.apple.com/bounty/
You could be in for a bounty of up to $1mil.
I got the notification by making a shortcut that needs access to your contacts
What is "ShortcutsActions" and why is it accessing contacts on my iPhone?
