AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

by

The AirTag feature that allows anyone with a smartphone to scan a lost ‌AirTag‌ to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an ‌AirTag‌ is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the ‌AirTag‌ owner enter a contact phone number or email address. Anyone who scans that ‌AirTag‌ is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an ‌AirTag‌ can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an ‌AirTag‌'s information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The ‌AirTag‌ flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Tag: AirTag Guide

Popular Stories

iphone 17 models

No iPhone 18 Launch This Year, Reports Suggest

Thursday January 1, 2026 8:43 am PST by
Apple is not expected to release a standard iPhone 18 model this year, according to a growing number of reports that suggest the company is planning a significant change to its long-standing annual iPhone launch cycle. Despite the immense success of the iPhone 17 in 2025, the iPhone 18 is not expected to arrive until the spring of 2027, leaving the iPhone 17 in the lineup as the latest...
Read Full Article116 comments
duolingo ad live activity

Duolingo Used iPhone's Dynamic Island to Display Ads, Violating Apple Design Guidelines

Friday January 2, 2026 1:36 pm PST by
Language learning app Duolingo has apparently been using the iPhone's Live Activity feature to display ads on the Lock Screen and the Dynamic Island, which violates Apple's design guidelines. According to multiple reports on Reddit, the Duolingo app has been displaying an ad for a "Super offer," which is Duolingo's paid subscription option. Apple's guidelines for Live Activity state that...
Read Full Article105 comments
Low Cost A18 Pro MacBook Feature Pink

Apple's 2026 Low-Cost A18 Pro MacBook: What We Know So Far

Friday January 2, 2026 4:33 pm PST by
Apple is planning to release a low-cost MacBook in 2026, which will apparently compete with more affordable Chromebooks and Windows PCs. Apple's most affordable Mac right now is the $999 MacBook Air, and the upcoming low-cost MacBook is expected to be cheaper. Here's what we know about the low-cost MacBook so far. Size Rumors suggest the low-cost MacBook will have a display that's around 13 ...
Read Full Article151 comments
govee floor lamp

CES 2026: Govee Announces New Matter-Connected Ceiling and Floor Lights

Sunday January 4, 2026 5:00 am PST by
Govee today introduced three new HomeKit-compatible lighting products, including the Govee Floor Lamp 3, the Govee Ceiling Light Ultra, and the Govee Sky Ceiling Light. The Govee Floor Lamp 3 is the successor to the Floor Lamp 2, and it offers Matter integration with the option to connect to HomeKit. The Floor Lamp 3 offers an upgraded LuminBlend+ lighting system that can reproduce 281...
Read Full Article53 comments
Belkin 25W Battery magnetic

CES 2026: Belkin Announces Magnetic Ring Power Bank, Modular Dock, and More

Sunday January 4, 2026 3:02 pm PST by
Belkin today announced a range of new charging and connectivity accessories at CES 2026, expanding its portfolio of products aimed at Apple device users. UltraCharge Pro Power Bank 10K with Magnetic Ring The lineup includes new Qi2 and Qi2.2 wireless chargers, magnetic power banks, a high-capacity laptop battery, and USB-C productivity accessories, with an emphasis on higher charging...
Read Full Article17 comments
airpods pro 3 glitter

AirPods New Year's Deals Include Up to $99 Off AirPods Max, AirPods Pro 3, and AirPods 4

Sunday January 4, 2026 8:04 am PST by
Now that the calendar has flipped over into January, steep discounts on popular Apple products have become more rare after the holidays. However, if you didn't get a new pair of AirPods recently and are looking for a model on sale, Amazon does have a few solid second-best prices this week. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a...
Read Full Article15 comments
Low Cost MacBook Feature A18 Pro

Low-Price 12.9-Inch MacBook With A18 Pro Chip Reportedly Launching Early This Year

Friday January 2, 2026 9:08 am PST by
Apple plans to introduce a 12.9-inch MacBook in spring 2026, according to TrendForce. In a press release this week, the Taiwanese research firm said this MacBook will be aimed at the entry-level to mid-range market, with "competitive pricing." TrendForce did not share any further details about this MacBook, but the information that it shared lines up with several rumors about a more...
Read Full Article197 comments
Clicks Communicator Feature

'Clicks Communicator' Unveiled — Will You Carry This With Your iPhone?

Friday January 2, 2026 6:35 am PST by
The company behind the BlackBerry-like Clicks Keyboard accessory for the iPhone today unveiled a new Android 16 smartphone called the Clicks Communicator. The purpose-built device is designed to be used as a second phone alongside your iPhone, with the intended focus being communication over content consumption. It runs a custom Android launcher that offers a curated selection of messaging...
Read Full Article195 comments

Top Rated Comments

btrach144 Avatar
btrach144
56 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
funandblindness
56 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
Naraxus
56 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
Altivec88
56 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
SpaceN64
56 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
red elma
56 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)
Read All Comments