A security researcher has raised the alarm about an AirTag vulnerability that might allow a hacker to trick customers into visiting an iCloud phishing website.
The issue originates from AirTag’s Lost Mode. It allows someone who finds a stranded AirTag to track it down and return it to the owner. The feature can display a phone number or address on a dedicated found.apple.com webpage when the user enables Lost Mode. According to Bobby Rauch (via Krebs on Security), Apple’s Lost Mode “doesn’t yet prevent users from putting arbitrary computer code into its phone number field,” which may direct an unwitting AirTag retriever to a phishing site.
The most typical danger is to include code that redirects visitors to a phishing site that looks exactly like Apple’s iCloud login page. And thereby tricking them into entering their username and password.
Also Read: Samsung Galaxy S22 Ultra To Feature Built-in S Pen Stylus?
Here is what the researcher who found the AirTag vulnerability said.
“There are infinite ways an attacker may victimize an end-user who discovers a misplaced AirTag,” adds Rauch. Raunch found the problem in June. He alleges that he contacted Apple months ago. However, the company’s researchers finally assured him last week that the vulnerability will be resolved in a future update.
Apple’s AirTag is a Bluetooth tracking gadget that can attach to another device. It uses ultra-wideband technology to track non-Apple devices and locate items with pinpoint accuracy in the Find My app.
Apple’s “lack of contact” pushed Rauch to go public with his discoveries, according to Krebs on Security. He further claims that Apple requested him not to disclose the information. Apple was recently chastised by another security researcher for patching a zero-day iOS issue without recognizing him. In its Security Bounty Program, Apple pays up to a million dollars to find flaws and vulnerabilities.
Also Read: AMD Older GPUs To Get Raytracing Support Thanks To RADV.