The Apple AirTag bug has opened a new attack vector: malicious actors can inject malicious code into the phone number field to trick helpful strangers into logging into their account. This vulnerability is caused by a flaw in Apple’s validation process of phone number data. As a result, malicious actors can enter a malicious code in place of a valid phone number and leave the AirTag in a public place. The malicious AirTag will then direct the helpful strangers to a fake iCloud login page.
XSS exploits can be carried out
An attacker can carry out XSS exploits on an Apple Airtag to gain access to clickjacking and session tokens. These exploits can also allow the attacker to target innocent people who are looking for their lost tags. These attacks can be carried out by changing the URL of the Airtag. However, these attacks are unlikely to be successful given the cost of the AirTags.
Apple is planning to issue a patch for this vulnerability, but it has not announced an ETA. As a result, the vulnerability will continue to exist for some time. Users do not need to sign in to report the issue. It is not mandatory to report the exploit, and if you’re a victim, you do not need to sign in.
Attackers can also plant malicious scripts in the phone number field of the AirTag to trick visitors into visiting a malicious website. These malicious scripts can also redirect visitors to a fake iCloud login page and trick them into downloading malicious apps. This way, attackers can weaponize AirTags and use them to target users who might be unaware of them.
Attackers can exploit an XSS vulnerability in the Apple AirTag, a small device developed by Apple for personal use. These tiny, digital devices can communicate with other nearby devices via Bluetooth Low Energy, so attackers can use them to lure people into visiting malicious websites. The vulnerability has not been patched by Apple, but other researchers have disclosed this vulnerability to the public.
The phone number field on Apple AirTag is not secure, which makes it a prime candidate for phishing attacks. Attackers can also exploit the fact that it is so easy to set the device to “Lost” or “Disappear” mode. This allows attackers to lure people into a scam and gain access to their accounts.
The vulnerability was first reported by security researcher Michael Rauch on June 20. Apple initially claimed that it would fix the flaw in an upcoming update, but has since been slow to respond. The researcher claims that Apple has been sitting on the vulnerability for at least three months. The researcher reported that Apple had not responded to his inquiry about whether the vulnerability would be rewarded under its bug bounty program.
iCloud login phishing site for samaritans
Apple has responded to a recent report on the existence of an iCloud login phishing website that targets good Samaritans. The phishing website uses a feature called AirTag to trick Good Samaritans into visiting malicious sites. Apple has confirmed that this phishing site is not real.
iCloud login credentials are becoming a prime target for hackers. Recently, an employee of Malwarebytes spotted a new iCloud login scam. The phishing site claimed to be from Apple and posed as Apple Support. The scammer also claimed to have been hacked by Russian hackers.
The phishing site will look similar to a legitimate Apple site and will ask users to enter their Apple ID to fix a problem. The bad actors will steal personal data through phishing emails and websites. It is estimated that one out of every 99 emails that users receive is a phishing email.
Hackers can add code to the phishing site to make it look like Apple’s iCloud login site in order to get user credentials. Users should be cautious when opening any e-mail attachments as they can be encrypted and have odd file names.
iPhone users should be aware of scammers pretending to be Apple Support when asking for their login credentials to gain access to their iCloud account. They should call Apple’s official support team instead. The scammers may call using caller-ID spoofing technology. When they do call you, they will display a fake Apple logo and a typical phone number.
Handing over AirTag to authorities
A security researcher has discovered a critical flaw in Apple’s AirTag that can be used to redirect a good samaritan to a phishing or malicious website. The bug has been under investigation by Apple for three months. In a follow-up email to Rauch, the company confirmed that the bug will be addressed in a forthcoming update.
Researchers initially notified Apple of the bug in June. The company did not respond for three months, so the researcher made his findings public. Now, Apple has promised to fix the issue, but it is unclear when it will be fixed. The researcher hasn’t specified a timeframe, but it is likely that a patch is coming.
The “Good Samaritan” attack is made possible by the fact that Apple’s AirTag doesn’t check for the computer code in the phone number field. This vulnerability could allow a malicious AirTag to generate a pop-up that directs the user to a fake iCloud login page.
The vulnerability was first reported by Krebs on Security on June 20. According to Krebs on Security, a researcher named Rauch privately reported the flaw to Apple, but Apple has been “still investigating” the issue. The researcher believes that Apple’s bug bounty program requires researchers to keep their discoveries quiet, as they risk losing money if they publicly disclose their findings.
An attacker can also leave a malware-infected USB flash drive in the parking lot. A worker may insert the drive and get infected. The drive may be titled “Employee Salaries” and will attempt to install malicious software.
A $30 tracking device called an AirTag can be used for malicious attacks if the device is set to lost mode. It also provides the phone number of the owner. A malicious AirTag can also redirect Good Samaritans to an iCloud phishing page or any other malicious website.
Apple has a history of responding slowly to security issues, even though they say they care. But by ignoring this vulnerability, they are exposing their users to attack by allowing cyberthieves to use it without proper validation.
