A security researcher has shown that AirTags can be weaponized by injecting code into the phone number field before placing it into Lost mode and dropping it in strategic places. Apple has confirmed the finding.

When someone finds the AirTag and scans it, they will be redirected to the website of the attacker’s choice, which could include a fake iCloud login to report the find …

Boston-based security consultant Bobby Rauch discovered the vulnerability back in June, informed Apple, and said he would allow the company 90 days before publicly disclosing the flaw. This 90-day period is common practice in the security field, allowing a company enough time to issue a patch while incentivizing them to do so promptly.

However, he said that Apple failed to fix it within the 90-day period, and also did not tell him when it would do so, whether he would be credited, and whether he would qualify for a bug bounty. Accordingly, he has now disclosed the vulnerability.

Apple has been criticized by the infosec community for the way it responds to zero-day flaw reports.

How AirTags can be weaponized

When someone finds an AirTag attached to an item, they can scan it with their iPhone or Android phone. That will display a phone number entered by the owner, and also direct them to a personalized link at https://found.apple.com that enables them to alert the owner.

However, Raunch found that it’s possible to inject XSS code into the phone number field.

An attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field. A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page.

That will cause the good samaritan who scanned the AirTag to be redirected to another website. A likely one would be a phishing attack using a clone of the genuine site that asks them to log in with their iCloud credentials. If the finder scanned the tag with their iPhone, they might think nothing of this, login and have their credentials stolen. If the fake website then directs them back to the real one, they may be completely unaware anything is wrong.

Rauch says that other code could also be injected.

Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.

The video below shows the exploit in action. A tech-savvy person would likely spot that the URL has changed, but a real attacker would of course purchase a plausible-looking domain so that it would look less suspicious.

This type of attack could easily be targeted against specific individuals or companies by dropping it in places like next to their car in a work parking lot, or outside their home.

Apple says that it does plan a fix, but no date is known, so for now, this vulnerability remains. If you do find an AirTag, note that no login is required to report it.

Via Krebsonsecurity

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear