An AirTag bug has been plaguing Apple’s products for three months now, rerouting Good Samaritans to malicious websites and phishing pages. Apple is currently investigating the issue and will address it in a future update. While the company has not said when or how this bug will be fixed, it did respond to Rauch’s email on Thursday.
The XSS vulnerability in Apple’s AirTag vulnerability has been around for several months now, but Apple has not patched it yet. The researcher who discovered it has requested a patch from Apple, but the company has not responded to requests for comment. Regardless of why the flaw is still present, the researcher plans to disclose the details of his findings.
The researcher contacted Apple on June 20 with the information and he was hoping to make it public within 90 days. However, he has heard little since. The company has not answered his questions about how it is progressing on a solution or whether he will be rewarded for revealing the bug.
The vulnerability allows attackers to place malicious scripts in the phone number field of an AirTag, which redirects visitors to a fake iCloud login page. Once they have obtained the user’s credentials, they can then download a malicious app. The attack could be used to target innocent people, or to promote malicious apps.
XSS exploits can also be used to hijack clickjacking and session tokens. This means that attackers can use an AirTag as a weapon and target unsuspecting people looking for a lost Airtag. This is particularly dangerous if an attacker buys a domain that looks reasonable, as that would make the attacker appear less suspicious.
Currently, there is no fix available for the XSS vulnerability in Apple’s AirTag. The bug isn’t very urgent, so Apple is likely still working on a fix. In the meantime, a bug bounty program will reward those who report it.
Redirect to phishing page
Apple has confirmed that its users are susceptible to an Apple AirTag bug samaritan attack that redirects to a phishing page. The company is working on a fix for the vulnerability, but has not yet given a timeframe for its release. The bug allows hackers to create weaponized Airtags and redirect Good Samaritans to malicious websites.
A security researcher recently found that a bug in the Apple AirTag bug allows hackers to trick a good samaritan into submitting their iCloud login credentials to a phishing site using the tracking device. The hacker could then use the AirTag tracking device to redirect an unknowing Good Samaritan to a phishing website, or even download malicious software onto the victim’s device.
The bug is made possible by an unsecure Apple AirTag phone number field. This allows attackers to inject malicious code into the phone number field, causing it to redirect the user to a fake Apple iCloud login page. The phishing site then steals the user’s login information and redirects them to a phishing page.
Another exploit takes advantage of an Apple AirTag bug called Lost Mode. This attack targets the good Samaritan, or someone who has lost their AirTag and is trying to return it to the owner. This attack works similarly to malware-infected flash drive attack.
The researcher alerted Apple about this bug in mid-June. The company has said it is investigating the problem. Last week, Apple released a security update to fix this bug.
Lack of communication with researchers
Researchers have recently reported that Apple has failed to acknowledge the bugs they discover and to credit them. This lack of transparency has a negative impact on Apple users and the security community as a whole. While Apple has improved its relationship with third-party security researchers over the last several years, this issue still shows that Apple needs to do more to improve their disclosure policy.
Researchers who have been looking into Apple’s AirTag bug have found a major flaw: the bug doesn’t sanitize user input and can be attached to objects that are easily misplaced. This makes it possible for malicious actors to use the bug to redirect a helpful stranger to a malicious website. It’s also possible for malicious actors to place malicious AirTags in public places, where they can trick innocent bystanders.
Since June 20, when Rauch and another researcher reported the vulnerability to Apple, the company has remained silent, refusing to answer basic questions about the bug or the timeline for a fix. Apple also refuses to comment on the eligibility of researchers for its Bug Bounty program and hasn’t responded to questions about whether they’ve resolved the bug or credited the researchers.
The AirTag is a $30 tracking device. A vulnerability in this device allows an attacker to spoof the phone number field with arbitrary code. This means that a malicious AirTag can redirect a lost device to a bogus iCloud login page. This vulnerability is caused by a flaw in Apple’s “Lost Mode” security.
Cost of devices
Apple has been investigating the AirTag bug for three months. The company said it would fix the problem in an upcoming software update. This bug makes the devices cheap, but may also make them physical Trojan horses. In a follow-up email to Rauch, Apple said it will take appropriate measures to ensure that AirTag tracking devices don’t spread malware.
The exploit is based on the fact that the AirTag device uses a “Lost Mode” that doesn’t prevent an attacker from injecting arbitrary code into the phone number field. That code then causes the device to visit a fake iCloud login page. According to Bobby Rauch, a security consultant and penetration tester, this flaw enables attackers to gain control of an AirTag device.
The good Samaritan feature of the AirTag can also be exploited by malicious individuals. Anyone with an Apple ID can send the device’s finder a malicious website or phishing site to steal credentials or personal information. This flaw also allows a malicious person to purchase AirTags and convert them into malicious trojans.
Reliability of hyperlink provided by AirTag
Reliability of hyperlink provided by Airtag depends on whether Apple’s servers can link an AirTag URL to the device. If they can, Apple will show the serial number of the device even before it has registered. They will also display the lost message and phone number, if available. Nevertheless, Apple states that they don’t store this information on their servers. Besides, only the phone that owns an AirTag can generate a rotating public key. However, further reverse engineering may reveal the significance of the unknown URL parameters.