AirTag’s “lost mode” vulnerability could redirect users to malicious websites

According to a new report shared by KrebsOnSecurity, the AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the owner’s contact information can be used for phishing scams.

When an AirTag is set to lost mode, it generates a URL for https://found.apple.com and allows the owner of the AirTag to enter a phone number or email address. Anyone who scans that AirTag is then automatically directed to the URL with the owner’s contact information, with no login or personal information required to view the contact details provided.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so someone who scans an AirTag may be redirected to a fake iCloud login page or another. malicious site. Someone who does not know that no personal information is required to display AirTag information could then be prompted to provide their ‌iCloud‌ ID or other personal information, or the redirect could attempt to download malware. .

The AirTag flaw was discovered by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. “I don’t recall another instance where these kind of small, low-cost, consumer grade trackers like this could be militarized,” he said.

Rauch contacted Apple on June 20, and it took Apple several months to investigate. Apple told Rauch last Thursday that it would correct the weakness in an upcoming update and asked him not to speak about it in public.

Apple did not respond to questions about whether it would receive credit or qualify for the bug bounty program, so it decided to share details about the vulnerability due to lack of communication from Apple.

“I told them, ‘I’m willing to work with you if you can provide details on when you plan to fix this, and if there would be any bug recognition or premium payment,'” he said. Rauch said, noting that he told Apple he planned to release his findings within 90 days of notification. Their response was basically, ‘We would appreciate it if you didn’t disclose this. “”

Last week, security researcher Denis Tokarev went public with several zero-day iOS vulnerabilities after Apple ignored its reports and failed to fix the issues for several months. Apple has since apologized, but the company continues to receive criticism for its bug bounty program and the slowness with which it responds to reports.