AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

by

The AirTag feature that allows anyone with a smartphone to scan a lost ‌AirTag‌ to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an ‌AirTag‌ is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the ‌AirTag‌ owner enter a contact phone number or email address. Anyone who scans that ‌AirTag‌ is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an ‌AirTag‌ can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an ‌AirTag‌'s information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The ‌AirTag‌ flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Tag: AirTag Guide

Popular Stories

iOS 19 visionOS UI Elements

iOS 19 to Have Some of the 'Biggest' Design Changes in iPhone's History

Sunday March 16, 2025 10:35 am PDT by
Apple is planning some of the "biggest iOS and macOS redesigns in its history," according to Bloomberg's Mark Gurman. In his Power On newsletter today, Gurman reiterated that iOS 19 will have a visionOS-like design with more transparent interfaces:The new interfaces will adopt the design principles introduced in visionOS, the software for Apple's Vision Pro headset. That includes greater...
Read Full Article156 comments
iphone 17 pro asherdipps

iPhone 17 Pro Max Rumors Allegedly Refer to 'iPhone 17 Ultra' Model

Friday March 14, 2025 7:56 am PDT by
If you've been following iPhone rumors over the last few years, you may remember reading reports that Apple flirted with the idea of introducing a super high-end "Ultra" model that would either replace its Pro Max device or sit above it in Apple's smartphone hirearchy. These reports appeared in the pre-launch iPhone 15 and iPhone 16 rumor cycles, but ultimately came to nothing. Now though, the...
Read Full Article145 comments
iPhone 17 Air Size Feature

Ultra-Thin 'iPhone 17 Air' Rumored to Include These 12 Features

Saturday March 15, 2025 10:50 am PDT by
While the so-called "iPhone 17 Air" is not expected to launch until September, there are already plenty of rumors about the ultra-thin device. Overall, the "iPhone 17 Air" sounds like a mixed bag. While the device is expected to have an impressively thin and light design, rumors indicate it will have some compromises compared to iPhone 17 Pro models, including only a single rear camera, a...
Read Full Article118 comments
Bent iPhone Air Feature

Apple Canned Larger iPhone 17 Air Model Over Fears of Bendgate 2.0

Monday March 17, 2025 4:07 am PDT by
Apple prototyped a larger ultra-slim iPhone 17 Air with a 6.9-inch display, but ultimately decided not to go ahead with the device because of fears that it could be susceptible to bending, according to a new report. Bloomberg reporter Mark Gurman, writing in his latest Power On newsletter: When it first started work on the phone, it prototyped a device with a 6.9-inch screen — matching...
Read Full Article92 comments
iphone 16 pro models 1

Apple's First Foldable iPhone Estimated to Cost Nearly Twice as Much as iPhone 16 Pro Max

Monday March 17, 2025 6:42 am PDT by
In an investor research note today with British bank Barclays, analyst Tim Long said Apple's first foldable iPhone could have a starting price in the $2,300 range in the United States, which would make it by far the most expensive iPhone model ever. If the first foldable iPhone starts at $2,299, that means it would cost nearly twice as much as the iPhone 16 Pro Max, which starts at $1,199. ...
Read Full Article259 comments
iPhone 17 Air Size Feature

'iPhone 17 Air' Rumored to Start at $899 With Surprisingly Good Battery Life, Camera Control, and More

Sunday March 16, 2025 9:05 am PDT by
Bloomberg's Mark Gurman today shared some new details about the rumored iPhone 17 Air. In his Power On newsletter, Gurman said he was told that the device may start at roughly $899 in the U.S., which means that it would occupy the same price point as the iPhone 16 Plus. This would make sense, as it has been widely rumored that the Air model will take over the Plus model's spot in the iPhone...
Read Full Article52 comments
apple surveyor app

Apple Launches 'Surveyor' App for Apple Maps Data Collection

Friday March 14, 2025 10:38 am PDT by
Apple today launched a new app called Surveyor, which is designed to allow users to collect data like images of street signs and roadside details to improve Apple Maps. The app is not public facing and appears to be for use with companies that Apple partners with to assign mapping tasks. Downloading the app and opening it up directs users to "Open Partner App" to choose a task. Tapping on...
Read Full Article73 comments
iphone 16e usb c feature

'iPhone 17 Air' is Step Towards Slimmer iPhones Without USB-C Ports

Sunday March 16, 2025 9:36 am PDT by
Apple considered launching the iPhone 17 Air without a USB-C charging port, according to Bloomberg's Mark Gurman. In his Power On newsletter today, Gurman said that while Apple ultimately decided against making the iPhone 17 Air its first iPhone model without a charging port, the idea is still on the table for future iPhone models. He said the iPhone 17 Air will "foreshadow a move to...
Read Full Article256 comments

Top Rated Comments

btrach144 Avatar
btrach144
45 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
funandblindness
45 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
Naraxus
45 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
Altivec88
45 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
SpaceN64
45 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
red elma
45 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)
Read All Comments