Apple’s AirTag tracking device is susceptible to a bug that allows a malicious user to redirect a Good Samaritan to a phishing website or download malicious software. The flaw was discovered by researcher Michael Rauch in June. The researcher reported the issue to Apple, and they responded by promising to address the issue in a future update.
AirTag’s Lost Mode does not properly sanitize data entered into its phone number field
AirTag’s Lost Mode does not sanitize data entered into its text field. The message sent by AirTag can be viewed on an iPhone, Android phone, or iPad. If you do not wish to receive the notification, you can disable it on your iPhone.
The vulnerability makes it easier for attackers to weaponize AirTags to perform phishing attacks. To exploit the flaw, an attacker can inject malicious code into the phone number field. This rogue code can trick innocent people into providing their iCloud credentials. Apple has committed to address this vulnerability in an upcoming update. However, it is not clear when the update will be available.
Apple has notified security researchers of the vulnerability. The company has confirmed that a patch is in the works. Until then, users should be careful when searching for their AirTags on websites that require a login. If they do find their lost AirTag, they should avoid registering their phone number with such websites.
The Apple AirTag includes a feature called Lost Mode to help users find their missing items. The feature not only sends a notification to the owner of the AirTag, but also opens a web page with the device’s information. The website displays a contact number and the serial number of the missing AirTag.
Resetting the AirTag may resolve the issue. The process is very easy. The user needs to turn off and on the device a few times. After a few seconds, they must tap the switch again to reconnect to the app. If they do not want to do this, they can connect via cellular data.
Users can enter arbitrary computer code into the phone number field
The vulnerability in Apple’s AirTag allows an attacker to insert arbitrary computer code into the phone number field in Lost Mode. This allows attackers to create weaponized AirTags and launch attacks. Apple is working to address the problem but it’s not known when it will release the fix.
While the bug was discovered in June, Apple has been slow to acknowledge it. When researcher Charlie Rauch first disclosed it, the company blew him off, refusing to disclose the bug publicly and not letting him submit the exploit to its bug bounty program. But last Friday, Apple finally acknowledged the issue and said it will patch the bug in an upcoming update.
This bug is particularly serious because it enables Good Samaritans to be redirected to a phishing site or malicious website. Apple has been investigating the bug for three months. In a follow-up email to Rauch, the company said it would fix the bug in an upcoming update.
While the bug isn’t widespread, it could lead to some serious problems. For example, it can lead to data theft and credential hijacking. In addition, it can allow attackers to use the stolen device to access a compromised website.
Apple’s bounty program requires that the vulnerability be patched as soon as possible. However, pre-patch disclosure of the vulnerability runs the risk of alerting cyberthieves. The fact is that some attackers already know about the bug. Therefore, if the bug is publicized, Apple must act quickly to fix the vulnerability.
Device redirects samaritan to phishing page
An Apple AirTag bug allows hackers to divert victims to a malicious iCloud phishing page. The AirTag tracking device sends a personalized URL when scanned by an NFC enabled device. The hacker can use the information to install malicious software onto the victim’s device.
A phishing attack could take place if the AirTag is stolen. It could also redirect a good samaritan to a malicious website. The phishing website asks for the victim’s iCloud login credentials. The finder might think nothing of it or simply log in, his access data would be stolen.
The vulnerability was discovered several months ago by security researcher Bobby Rauch, who reported the issue to Apple. The company confirmed the vulnerability last week, though the date of the fix is not disclosed. This vulnerability is related to stored cross-site scripting, which can be exploited to execute clickjacking and session token hijacking attacks.
A security researcher has already demonstrated how AirTags can be weaponized. In one case, he inserted a code into the phone number field. After that, he placed the tags in lost mode and stored them strategically in strategic places. Once a person finds one of these AirTags, they will be redirected to a phishing site, where they can enter their iCloud login credentials. As a security precaution, Apple has reportedly been working on a fix for AirTags.
In a similar fashion, the AirTag has been used against good intentions as well. A bug that can cause a phishing attack could be injected into the software of the AirTag device. This code can then be released into the wild, which means it can harm innocent users.
Leave a Reply