Pretty interesting read. I’ve messed around with iOS Shortcuts before, but I never imagined they could be abused this cleanly to slip a bookmarklet into Chrome without any prompts. The silent bookmark creation is honestly the scariest part, because most users wouldn’t suspect anything from running a shortcut. The flow you described makes the attack look almost casual from the victim’s perspective.
It’ll be interesting to see how Google patches this, since the root cause seems more like an iOS-Chrome hybrid loophole than a single bug. Thanks for sharing the POC and breakdown.
