Hackers Can Exploit Apple AirTag Vulnerability to Lure Users to Malicious Sites
Apple’s AirTag product is affected by a vulnerability that could be exploited by hackers to lure unsuspecting users to phishing or other types of malicious websites.
Security consultant Bobby Rauch discovered that AirTags, which Apple sells for $30 and advertises as a “supereasy way to keep track of your stuff,” are affected by a stored cross-site scripting (XSS) vulnerability.
While the issue has not been patched by Apple, Rauch disclosed its details this week after becoming frustrated with the tech giant’s vulnerability reporting process.
When AirTag users enable “lost mode” to indicate that they cannot locate the device, they can add their phone number and a custom message that will be displayed to anyone who finds and scans the AirTag with an NFC phone — this includes Android phones.
Rauch noticed that the unique page generated on the found.apple.com domain for each AirTag is affected by a stored XSS vulnerability. More precisely, the XSS flaw can be exploited by inserting a malicious payload into the phone number field on the page.
In a theoretical attack scenario described by the researcher, the attacker enables “lost mode” for their own AirTag and intercepts the request associated with this action. They then inject the malicious payload into the phone number field. The attacker then needs to drop the AirTag device in a location where the targeted user — or anyone, if the attack is opportunistic — picks it up and scans it. Once the AirTag is scanned, the malicious payload is triggered immediately.
Rauch demonstrated the attack by injecting a payload that redirects the victim to an iCloud phishing page. Since it’s an Apple product, the victim might not find an iCloud login page to be suspicious — in reality, users who find and scan an AirTag don’t need to provide any credentials.
In addition to directing users to phishing pages, an attacker could lure users to malware distribution websites, or they could inject a payload for session token hijacking or clickjacking. The researcher also noted that the attacker could leverage the malicious found.apple.com link by sending it directly to the targeted user on a desktop or laptop device — in this case the payload is triggered when the link is accessed and there is no need to scan the AirTag.
Rauch told cybersecurity blogger Brian Krebs that he reported his findings to Apple on June 20, and decided to publicly disclose the vulnerability after becoming frustrated with Apple’s slow progress and refusal to answer his questions about giving him credit for the vulnerability and a possible bug bounty.
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
This is the second time in recent days that a researcher has disclosed the details of a vulnerability before Apple could release a patch. Researcher Denis Tokarev (aka illusionofchaos) has made public the details of three iOS vulnerabilities that were reported to Apple months ago, but which the tech giant failed to address.
Many cybersecurity experts have complained over the past years about Apple’s bug bounty program, including due to delayed responses and rewards they considered too small. The company said it awarded a total of $3.7 million to the researchers who responsibly disclosed security flaws last year.