AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

The AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an AirTag is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the AirTag owner enter a contact phone number or email address. Anyone who scans that AirTag is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The AirTag flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Related Forum: AirTags

Top Rated Comments

btrach144 Avatar
9 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
9 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
9 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
9 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
9 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
9 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)

Related Stories

f1618938547

Police Find Unexpected Use for Apple AirTags

Monday July 19, 2021 3:15 am PDT by
The utility of Apple's AirTag item trackers have started to be seen in law enforcement when locating stolen property, according to recent reports. As reported by GadgetLite, an AirTag user in Boston was able to recover their stolen property with the help of the police and Apple's small tracking device. Earlier this month, the user discovered that his bike had been stolen. Thankfully, he...
tagvault

ElevationLab Launches 'TagVault' AirTag Holder

Friday April 30, 2021 9:52 am PDT by
ElevationLab today debuted the TagVault, which is the most protective AirTag holder that we've seen to date. Priced at $12.95 for one or $29.95 for a pack of three, the TagVault is a two piece AirTag holder that screws together to offer total protection for an AirTag. The two halves come apart, the AirTag is situated in the middle, and then four screws hold the TagVault together....
AirTag is Linked to Apple ID Feature

Apple Announces AirTag Updates to Address Unwanted Tracking

Thursday February 10, 2022 9:58 am PST by
Apple today announced that it is making some updates to AirTags with the aim of cutting down on unwanted tracking. There are several changes that will be implemented in a multi-phase rollout. In an upcoming software update, Apple plans to implement new privacy warnings that will show up during AirTag setup to thwart malicious use. The warning will make it clear that the AirTag is linked to...
airtag 1

AirTag Anti-Stalking Measures 'Just Aren't Sufficient' Says Washington Post Report

Wednesday May 5, 2021 6:03 pm PDT by
The safeguards that Apple built into AirTags to prevent them from being used to track someone "just aren't sufficient," The Washington Post's Geoffrey Fowler said today in a report investigating how AirTags can be used for covert stalking. Fowler planted an AirTag on himself and teamed up with a colleague to be pretend stalked, and he came to the conclusion that the AirTags are a "new means...
AirTag and Lavender iPhone

Deals: AirTag 4-Pack Available for $89 on Amazon ($10 Off)

Tuesday March 22, 2022 5:44 am PDT by
Amazon today has Apple's AirTag 4-Pack for $89.00, down from $99.00. The accessory is shipped and sold directly by Amazon, and currently only Amazon is offering this sale on the AirTag. There is only a discount on the AirTag 4-Pack right now on Amazon, not on the 1-Pack option. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may ...
airtag in hand

Muscle Car Owner Targeted With Hidden AirTag Placed by Thieves

Tuesday December 21, 2021 9:02 am PST by
Michigan resident John Nelson claims that he was recently targeted by car thieves who hid one of Apple's AirTags in his vehicle, a 2018 Dodge Charger. According to a Fox 2 Detroit report, Nelson visited the Great Lakes Crossing shopping center in Auburn Hills, where he spent about two hours. After departing, he got a notification on his phone that informed him he was being tracked by an...
silent airtags with speakers removed

Sale of 'Silent AirTags' on eBay and Etsy Raises Privacy Concerns

Thursday February 3, 2022 8:08 am PST by
Apple AirTag tracking devices with deactivated speakers have been spotted on eBay and Etsy, raising privacy concerns about the risks of removing one of the AirTag's safeguards, PCMag reports. The modified AirTags, dubbed "Silent AirTags," have had their internal speaker removed so that they are no longer able to emit a sound to highlight their presence. The Silent AirTag looks identical to a ...
airtag in hand

New York Attorney General Issues AirTag Consumer Alert Over Stalking Concerns

Wednesday February 16, 2022 9:47 am PST by
Though Apple last week announced changes to AirTags that will likely help cut down on unwanted tracking, officials are starting to take notice of complaints. New York Attorney General Letitia James today sent out a consumer alert with "safety recommendations" to protect New Yorkers from AirTags (via The Mac Observer). Across the country, Apple AirTags are being misused to track people and...

Popular Stories

apple ar headset concept 1

Apple's Headset Said to Feature 14 Cameras Enabling Lifelike Avatars, Jony Ive Has Remained Involved With Design

Friday May 20, 2022 6:50 am PDT by
Earlier this week, The Information's Wayne Ma outlined struggles that Apple has faced during the development of its long-rumored AR/VR headset. Now, in a follow-up report, he has shared several additional details about the wearable device. Apple headset render created by Ian Zelbo based on The Information reporting For starters, one of the headset's marquee features is said to be lifelike...
iPhone 14 Purple Lineup Feature

Will the iPhone 14 Be a Disappointment?

Saturday May 21, 2022 9:00 am PDT by
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13. The iPhone 14 Pro and iPhone 14 Pro Max are expected...
sony headphones 1

Sony's New WH-1000XM5 Headphones vs. Apple's AirPods Max

Friday May 20, 2022 12:18 pm PDT by
Sony this week came out with an updated version of its popular over-ear noise canceling headphones, so we picked up a pair to compare them to the AirPods Max to see which headphones are better and whether it's worth buying the $400 WH-1000XM5 from Sony over Apple's $549 AirPods Max. Subscribe to the MacRumors YouTube channel for more videos. First of all, the AirPods Max win out when it comes ...
studio display 3

Apple's Rumored 27-Inch Mini-LED Display Now Said to Launch in October

Friday May 20, 2022 8:07 am PDT by
Apple now plans to release a new 27-inch display with mini-LED backlighting in October due to the Shanghai lockdown, which has resulted in production of the display being delayed, according to display industry consultant Ross Young. In a tweet, Young said Apple is in the process of moving production of the display from Quanta Computer to a different supplier and/or location, resulting in a...
HomePodandMini feature green

Kuo: Apple to Release New HomePod in Late 2022 or Early 2023

Friday May 20, 2022 8:55 am PDT by
Apple is working on an updated version of the HomePod that could come in the fourth quarter of 2022 or the first quarter of 2023, according to Apple analyst Ming-Chi Kuo. Kuo says that there "may not be much innovation in hardware design" for the new HomePod, and there is no word on what size the device will be and if it will be a HomePod mini successor or a larger speaker. Apple would ...
airtag purple

Best Apple Deals of the Week: Save on AirTag, AirPods 3, and iPads

Friday May 20, 2022 8:01 am PDT by
Solid markdowns on the AirTag, AirPods 3, and a few iPad models were introduced this week, and below you'll find all of the best deals of the past few days that are still available to purchase. AirTag Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. What's the...