AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

[MacRumors]

The AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

When an AirTag is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the AirTag owner enter a contact phone number or email address. Anyone who scans that AirTag is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their iCloud login or other personal details, or the redirect could attempt to download malicious software.

The AirTag flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Article Link: AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

 

[SpaceN64]

Well that sounds bad

 

[btrach144]

Why is apple so lazy and incompetent when dealing with security researchers?

 

[TheYayAreaLiving 🎗️]

Ouch! That doesn’t sound good. Imagine if they get access to your personal information.

 

[funandblindness]

Why is apple so lazy and incompetent when dealing with security researchers?

Arrogance

 

[Naraxus]

Rofl. And Apple has the chutzpah to claim they care about & protect user privacy

 

[apparatchik]

They really need someone in charge of communicating back to researchers, who's only job is to keep reports flowing and answer around the clock so whoever deserves recognition / payout gets it, otherwise they'll start reporting to the Pegasus of the world instead.

 

[mariusignorello]

Anything consumer grade is vulnerable to attacks, inconsistencies and inconvenience because of the casual non-mission critical nature of the hardware. Apple typically is the exception to this but when you get into cheap gadgetry like AirTags then it’s not surprising. These aren’t commercial grade GPS units like UPS or the likes would use.

 

[RONS67]

Nice of him to share this.
/s
If this qualifies for a bounty, I wouldn’t think it much.

 

[Smith288]

This seems like an expensive scam to try to do. And hardly useful. But it’s still a pretty ugly rookie thing to do as a huge tech company.

 

[nitramluap]

But doesn't an AirTag have to be linked to a legitimate iCloud account for it to be activated and then put into Lost Mode in the first place? So why would someone start a phishing attack using a device linked to their personal iCloud account? Seems like a storm in a teacup.

 

[antiprotest]

This is what we expect from Apple now. Weak on security and privacy.

 

[Art Mark]

Rofl. And Apple has the chutzpah to claim they care about & protect user privacy

So you think this mistake, is. sign that Apple doesn't care about security or privacy? Really? Of the thousands of methods out there on every platform that allow hacks, this is a sign to you that Apple is lying when they say they care about security and privacy? I think you are overreacting. Or just haven't thought out what you write.

 

[matrix07]

Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their iCloud login or other personal details, or the redirect could attempt to download malicious software.

It's good that someone is checking this but I mean it's getting to the ridiculous territory here. If I scan AirTag in hope of helping someone and find that I have to log in I will just not bother.

 

[bladerunner88]

Rofl. And Apple has the chutzpah to claim they care about & protect user privacy

Yes! This Exactly ⬆️ And Gold Stars 4 "Chutzpah" ?

 

[Altivec88]

Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.

 

[Chaos215bar2]

These aren’t commercial grade GPS units like UPS or the likes would use.

I’d be willing to bet those commercial units are full of vulnerabilities. But unless UPS allows their scanners to receive messages from or connect to anything other than their own internal servers (which would be silly), the attack surface is pretty much limited to malicious barcodes.

 

[ersan191]

Not sanitizing input on a form? Jesus, Apple, this is the most basic of the basic programming mistakes.

 

[thisisnotmyname]

Although I certainly don't condone Apple hesitating in addressing security issues I'm also starting to view "security researchers" as petty people who put themselves over the security of us all. "Apple didn't commit to recognizing that I found out I can inject some HTML into the AirTags message so now I'm going to go tell the world how to break this," isn't a mature response.

 

[The Barron]

Come on Apple; it's time to step up your game with all things security before the third party developers & media sites usually report before you find out. It's not a good look especially by the prices you charge for all Apple items

 

[red elma]

Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'

 

[randyhudson]

So you think this mistake, is. sign that Apple doesn't care about security or privacy? Really? Of the thousands of methods out there on every platform that allow hacks, this is a sign to you that Apple is lying when they say they care about security and privacy? I think you are overreacting. Or just haven't thought out what you write.

This is hardly a hack. It’s web security 101. You don’t simply inject user-defined data into a page without properly escaping, sanitizing, and/or validating it. And really it should be validated/restricted on the way in as well.

 

[DamnedFool]

Why is apple so lazy and incompetent when dealing with security researchers?

Courage.

 

[coolkid93]

all I have to say is “YIKES”

 

[Eduardo1971]

Boy Apple, that is a really bad way to treat security researchers.