AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

by

The AirTag feature that allows anyone with a smartphone to scan a lost ‌AirTag‌ to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an ‌AirTag‌ is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the ‌AirTag‌ owner enter a contact phone number or email address. Anyone who scans that ‌AirTag‌ is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an ‌AirTag‌ can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an ‌AirTag‌'s information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The ‌AirTag‌ flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Tag: AirTag Guide

Popular Stories

airpods translate

AirPods Live Translation Blocked for EU Users With EU Apple Accounts

Thursday September 11, 2025 4:01 am PDT by
Apple's new Live Translation feature for AirPods will be off-limits to millions of European users when it arrives next week, with strict EU regulations likely holding back its rollout. Apple says on its feature availability webpage that "Apple Intelligence: Live Translation with AirPods" won't be available if both the user is physically in the EU and their Apple Account region is in the EU....
Read Full Article215 comments
iPhone 17 Pro Colors

iPhone 17 and iPhone 17 Pro Models Are eSIM-Only in These Countries

Tuesday September 9, 2025 12:23 pm PDT by
Apple continues to phase out the physical SIM card tray on iPhones, with the latest models relying solely on eSIM technology in more countries. The new iPhone 17, iPhone 17 Pro, and iPhone 17 Pro Max support eSIMs only in these countries and regions, according to Apple: Bahrain Canada Guam Japan Kuwait Mexico Oman Qatar Saudi Arabia United Arab Emirates Un...
Read Full Article78 comments
iPhone 17 Pro Colors

Didn't Pre-Order a New iPhone Yet? Here's How Long the Wait is Now

Friday September 12, 2025 6:11 am PDT by
iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air pre-orders began at 5 a.m. Pacific Time in the U.S. and many other countries today. If you have yet to place a pre-order, you might face a longer wait now, depending on your desired configuration. As of shortly after 6 a.m. Pacific Time today, nearly all iPhone 17 Pro Max configurations on Apple's online store in the U.S. are facing ...
Read Full Article277 comments
iPhone 17 Pro Colors

iPhone 17 and iPhone 17 Pro: Release Date and Pre-Orders

Wednesday September 10, 2025 12:30 am PDT by
Apple held its annual iPhone event on Tuesday, September 9, to unveil the iPhone 17, ultra-thin iPhone Air, iPhone 17 Pro, and iPhone 17 Pro Max. All of the new iPhone models will be available to pre-order starting Friday, September 12 at 5 a.m. Pacific Time / 8 a.m. Eastern Time in the U.S. and dozens of other countries, according to Apple. The release date for the devices is one week...
Read Full Article
iPhone 17 Pro Cosmic Orange

Skipping the iPhone 17 Pro? Here's What's Rumored for iPhone 18 Pro

Wednesday September 10, 2025 8:33 am PDT by
While the iPhone 18 Pro and iPhone 18 Pro Max are still a year away, there are already a few rumors about the devices that offer an early look ahead. If you are skipping the iPhone 17 Pro and want to know about what to expect from the iPhone 18 Pro models, we have recapped a few of the key rumors below. Under-Screen Face ID In April 2023, display industry analyst Ross Young shared a...
Read Full Article120 comments
iPhone 17 Pro Colors

Apple Announces iPhone 17 Pro and Pro Max With New Design, Larger Battery, and More

Tuesday September 9, 2025 10:59 am PDT by
Apple today introduced the iPhone 17 Pro and iPhone 17 Pro Max. Both devices feature a new aluminum unibody design, with the Ceramic Shield now protecting both the front and back sides. Apple says the front side is now Ceramic Shield 2, which offers 3x better scratch resistance, while the rear Ceramic Shield is advertised as 4x more resistant to cracks compared to the back glass on previous...
Read Full Article464 comments
iphone 17 pro dark blue

The Camera Plateau: What's New With the iPhone 17 Pro Cameras

Wednesday September 10, 2025 3:53 pm PDT by
With the iPhone 17 Pro and 17 Pro Max, Apple introduced a new design for the rear of the device. Instead of a camera bump, we now have a camera plateau that spans almost the entire back of the iPhone. The camera plateau houses an upgraded camera system that includes a revamped Telephoto lens. All three of the iPhone 17 Pro and Pro Max cameras are 48 megapixels, and there are five zoom...
Read Full Article132 comments
better iphone 17 lineup

Apple Lists iPhone 17, iPhone Air, and iPhone 17 Pro Battery Capacities

Tuesday September 9, 2025 1:25 pm PDT by
Apple has confirmed the battery capacities for the iPhone 17, iPhone Air, iPhone 17 Pro, and iPhone 17 Pro Max models that were announced earlier today. Apple is required to publish energy labels on its iPhone product pages in the EU, and they reveal the official mAh battery capacities for the devices. Here are the battery capacities for each model, according to Apple: iPhone 17:...
Read Full Article58 comments

Top Rated Comments

btrach144 Avatar
btrach144
52 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
funandblindness
52 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
Naraxus
52 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
Altivec88
52 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
SpaceN64
52 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
red elma
52 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)
Read All Comments