Security researcher Bobby Rauch discovered a stored cross-site scripting (XSS) vulnerability in the Apple AirTag product that can be exploited by attackers to lure users to malicious websites.
Apple AirTag is a tracking device designed to act as a key finder, it allows users to find personal objects (e.g. keys, bags, apparel, small electronic devices, vehicles).
Rauch, like other researchers recently, decided to disclose the vulnerability because Apple did not address it.
Apple AirTag Lost Mode allows a user to mark their device as missing if they have misplaced it. This generates a unique https://found.apple.com page, which the Airtag info (i.e. serial number, the phone number and message from the owner). In case an individual with an iPhone or Android device will find the missing Airtag, they can scan it using the NFC and opens the Airtag’s unique https://found.apple.com page on their device.
In the attack scenario described by the expert, an attacker enables “lost mode” for an AirTag and injects the malicious payload into the phone number field. When the victim will find the device and will scan it, the malicious payload is triggered immediately.
Rauch demonstrated the attack using a payload to redirect the victim to a fake iCloud login page.
Below is the process to exploit the issue that was described by the expert in a post published on Medium:
The same vulnerability could be exploited in multiple ways, for example, redirecting the users to a website designed to serve malware.
“Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all. The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support “Lost Mode” as part of Apple’s Find My network.” concludes the expert.
(SecurityAffairs – hacking, AirTag)