AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

by

The AirTag feature that allows anyone with a smartphone to scan a lost ‌AirTag‌ to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an ‌AirTag‌ is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the ‌AirTag‌ owner enter a contact phone number or email address. Anyone who scans that ‌AirTag‌ is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an ‌AirTag‌ can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an ‌AirTag‌'s information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The ‌AirTag‌ flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Tag: AirTag Guide

Popular Stories

iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17 Pro Launching in Three Months With These 12 New Features

Saturday June 14, 2025 5:45 pm PDT by
The iPhone 17 Pro and iPhone 17 Pro Max are three months away, and there are plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of June 2025:Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone X through iPhone 14 Pro have a...
Read Full Article112 comments
iPadOS 26 App Windowing

Apple Explains Why iPads Don't Just Run macOS

Friday June 13, 2025 7:46 am PDT by
iPadOS 26 allows iPads to function much more like Macs, with a new app windowing system, a swipe-down menu bar at the top of the screen, and more. However, Apple has stopped short of allowing iPads to run macOS, and it has now explained why. In an interview this week with Swiss tech journalist Rafael Zeier, Apple's software engineering chief Craig Federighi said that iPadOS 26's new Mac-like ...
Read Full Article228 comments
iphone 16 pro models 1

17 Reasons to Wait for the iPhone 17

Thursday June 12, 2025 8:58 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we often get rumored features months ahead of launch. The iPhone 17 series is no different, and we already have a good idea of what to expect from Apple's 2025 smartphone lineup. If you skipped the iPhone...
Read Full Article69 comments
Logitech Logo Feature

Logitech Announces Two New Accessories for WWDC

Friday June 13, 2025 7:22 am PDT by
Alongside WWDC this week, Logitech announced notable new accessories for the iPad and Apple Vision Pro. The Logitech Muse is a spatially-tracked stylus developed for use with the Apple Vision Pro. Introduced during the WWDC 2025 keynote address, Muse is intended to support the next generation of spatial computing workflows enabled by visionOS 26. The device incorporates six degrees of...
Read Full Article24 comments
iOS 26 Screens

Here Are All the iOS 26 Features That Require iPhone 15 Pro or Newer

Thursday June 12, 2025 4:53 am PDT by
With iOS 26, Apple has introduced some major changes to the iPhone experience, headlined by the new Liquid Glass redesign that's available across all compatible devices. However, several of the update's features are exclusive to iPhone 15 Pro and iPhone 16 models, since they rely on Apple Intelligence. The following features are powered by on-device large language models and machine...
Read Full Article58 comments
CarPlay Liquid Glass Dark

Apple to Let iPhone Users Watch Videos on CarPlay Screen While Parked

Thursday June 12, 2025 6:16 am PDT by
Apple this week announced that iPhone users will soon be able to watch videos right on the CarPlay screen in supported vehicles. iPhone users will be able to wirelessly stream videos to the CarPlay screen using AirPlay, according to Apple. For safety reasons, video playback will only be available when the vehicle is parked, to prevent distracted driving. The connected iPhone will be able to...
Read Full Article70 comments
iOS 26 on Three iPhones

Hate iOS 26's Liquid Glass Design? Here's How to Tone It Down

Wednesday June 11, 2025 4:22 pm PDT by
iOS 26 features a whole new design material that Apple calls Liquid Glass, with a focus on transparency that lets the content on your display shine through the controls. If you're not a fan of the look, or are having trouble with readability, there is a step that you can take to make things more opaque without entirely losing out on the new look. Apple has multiple Accessibility options that ...
Read Full Article211 comments
Mac Studio Feature

Apple Begins Selling Refurbished Mac Studio With M4 Max and M3 Ultra Chips at a Discount

Thursday June 12, 2025 10:14 am PDT by
Apple today added Mac Studio models with M4 Max and M3 Ultra chips to its online certified refurbished store in the United States, Canada, Japan, Singapore, and many European countries, for the first time since they were released in March. As usual for refurbished Macs, prices are discounted by approximately 15% compared to the equivalent new models on Apple's online store. Note that Apple's ...
Read Full Article34 comments
iOS 26 Feature

Apple Seeds Revised iOS 26 Developer Beta to Fix Battery Issue

Friday June 13, 2025 10:15 am PDT by
Apple today provided developers with a revised version of the first iOS 26 beta for testing purposes. The update is only available for the iPhone 15 and iPhone 16 models, so if you're running iOS 26 on an iPhone 14 or earlier, you won't see the revised beta. Registered developers can download the new beta software through the Settings app on each device. The revised beta addresses an...
Read Full Article84 comments

Top Rated Comments

btrach144 Avatar
btrach144
49 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
funandblindness
49 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
Naraxus
49 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
Altivec88
49 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
SpaceN64
49 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
red elma
49 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)
Read All Comments