Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

AirTag vulnerability turns tracker into Trojan horse, fix incoming

Last updated

A recently discovered AirTag weakness allows would-be attackers to redirect users to a malicious webpage when the device is scanned in Lost Mode, effectively turning the tracker into a Trojan horse.

Lost Mode is a tentpole AirTag capability that, when activated, allows anyone with an NFC-capable device to scan the tracker and read a programmed discovery message that can include an owner's phone number. The feature assists in the return of lost items like car keys if the Find My network fails to locate a lost AirTag.

Researcher Bobby Rauch has uncovered a vulnerability that turns Lost Mode into a potential attack vector.

As outlined by Krebs on Security, Lost Mode generates a unique URL at https://found.apple.com, where owners can enter a personal message and phone number should the device be found. Rauch discovered that Apple's systems do not prevent injection of arbitrary code into the phone number field, meaning unsuspecting good Samaritans who scan the device can be sent to a malicious website.

"I can't remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized," Rauch said.

In a Medium post published today, Rauch explains that a Stored XSS exploit can be carried out to inject a malicious payload that redirects to a phishing site that gleans sensitive credentials using a keylogger. Other XSS exploits like session token hijacking and clickjacking can also be deployed, Rauch says.

The researcher informed Apple about the vulnerability on June 20 and said he planned to make the information public in 90 days, as per typical disclosure protocols. He received little information since then beyond statements saying that the company is still investigating the flaw. Apple failed to answer questions about progress on a solution and did not say whether Rauch would be credited in a future security advisory, the report said. The company also did not comment on whether the flaw was eligible for a payout through Apple's Bug Bounty Program.

Last Thursday, five days after the 90-day disclosure protection window expired, Apple contacted Rauch to say that the weakness will be addressed in an upcoming update and asked that he not talk about the bug publicly.

"I told them, I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said. "Their response was basically, We'd appreciate it if you didn't leak this.'"

Rauch went public to protest Apple's lack of communication, the report said.

A number of other researchers have aired frustrations about Apple's bug reporting program, including security researcher Denis Tokarev. Last week, Tokarev detailed his experience with the Bug Bounty Program, saying he identified and reported four flaws to Apple, but only one has been patched. Apple later apologized for the delay and said it is still investigating the issues.

AirTag has been an area of interest for the security research community since its launch in April. Shortly after the device debuted, researchers found a method by which AirTag can be leveraged to send short messages through the Find My network.



13 Comments

robin huber 4026 comments · 22 Years

What a wonderful species we are part of! No sooner does something come along to make life better, one of us figures out a way to turn it into more misery. 

22july2013 3731 comments · 11 Years

This type of bug is common enough that Apple should have been more careful. 

Rauch discovered that Apple's systems do not prevent injection of arbitrary code into the phone number field, meaning unsuspecting good Samaritans who scan the device can be sent to a malicious website.

bobolicious 1177 comments · 10 Years

...is any centralized data at scale by design a Trojan Horse of sorts, or perhaps (if guile unintended) more correctly simply a potentially fallible, vulnerable and compelling target...? I still keep hoping (naively) Apple might revive macOS server as an owncloud-like distributed option more in line with the general zeitgeist of the original internet, if that is even possible...

chadbag 2029 comments · 13 Years

The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 

dewme 5770 comments · 10 Years

Sigh. So much for having all new products undergo a design for security (DFS) review. This class of vulnerability should not be making it into a release product, especially for one with such a narrow attack surface. If it was 1995 maybe this would be a forgivable “oops” but in the year 2021, it’s simply embarrassing.