AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

The AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an AirTag is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the AirTag owner enter a contact phone number or email address. Anyone who scans that AirTag is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The AirTag flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Related Forum: AirTags

Top Rated Comments

btrach144 Avatar
10 weeks ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
10 weeks ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
10 weeks ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
10 weeks ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
10 weeks ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
10 weeks ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)

Related Stories

airtag in hand

Apple AirTag Linked to Increasing Number of Car Thefts, Canadian Police Report

Friday December 3, 2021 7:10 am PST by
Apple's AirTags are being used in an increasing number of targeted car thefts in Canada, according to local police. Outlined in a news release from York Regional Police, investigators have identified a new method being used by thieves to track down and steal high-end vehicles that takes advantage of the AirTag's location tracking capabilities. While the method of stealing the cars is largely ...
f1618938547

Police Find Unexpected Use for Apple AirTags

Monday July 19, 2021 3:15 am PDT by
The utility of Apple's AirTag item trackers have started to be seen in law enforcement when locating stolen property, according to recent reports. As reported by GadgetLite, an AirTag user in Boston was able to recover their stolen property with the help of the police and Apple's small tracking device. Earlier this month, the user discovered that his bike had been stolen. Thankfully, he...
apple unknown items scan

iOS 15.2 Adds Option to Scan for Nearby AirTags and Find My-Enabled Items

Tuesday November 9, 2021 11:41 am PST by
With the iOS 15.2 beta that was released today, Apple has added enhancements to the Find My app. There's a new feature that's designed to let users scan for AirTags or Find My-enabled items that might be tracking them. When opening the Find My app after installing the beta and going to the "Items" tab, there's an option for "Items That Can Track Me." Tapping on this allows users to search...
airtag 1

AirTag Anti-Stalking Measures 'Just Aren't Sufficient' Says Washington Post Report

Wednesday May 5, 2021 6:03 pm PDT by
The safeguards that Apple built into AirTags to prevent them from being used to track someone "just aren't sufficient," The Washington Post's Geoffrey Fowler said today in a report investigating how AirTags can be used for covert stalking. Fowler planted an AirTag on himself and teamed up with a colleague to be pretend stalked, and he came to the conclusion that the AirTags are a "new means...
airtag in hand

Apple Enhancing AirTags Anti-Stalking Measures With Android App and Shorter Sound Intervals

Thursday June 3, 2021 11:10 am PDT by
Apple is enhancing AirTags security to prevent stalking using the Bluetooth devices, Apple told CNET today. Apple is already sending out over-the-air updates to AirTags that will shorten the amount of time before an unknown AirTag alerts you if it is in your possession. At the current time, AirTags play a sound after three days of being away from their owner. After the update, AirTags will...
airtag notification

Lost AirTags Can Be Read By NFC-Enabled iPhones and Android Devices

Wednesday April 21, 2021 12:43 am PDT by
Apple's AirTag tracking devices can be identified by Android phones when they're in Lost Mode, according to a new support document published by Apple. Announced on Tuesday, Apple's new AirTag item trackers let you easily track things like your keys, wallet, purse, backpack, luggage, and more. They work using an ultra-wideband U1 chip to keep in touch with the Find My network. However,...
maxresdefault

Hands-On With Apple's New AirTags

Friday April 30, 2021 2:41 pm PDT by
After years of waiting for the AirTags to debut, launch day is finally upon us and AirTags are now in the hands of customers. We got our AirTags in the mail today and thought we'd share a hands-on look for those who are still waiting for their orders or debating whether AirTags might be useful. Subscribe to the MacRumors YouTube channel for more videos. As you probably know by now, AirTags...
f1618938547

Apple Executive Says AirTags Designed to Track Items, Not Children or Pets

Thursday April 22, 2021 6:42 am PDT by
Following the announcement of AirTags this week, Apple's VP of worldwide iPhone product marketing, Kaiann Drance, and Apple's senior director of sensing and connectivity, Ron Huang, spoke with Fast Company about the Tile-like tracker and its design and privacy. Speaking about the design of AirTag, Drance says Apple wanted to create a simple yet unique design for the tracker, keeping in mind...

Popular Stories

airtag in hand

Apple AirTag Linked to Increasing Number of Car Thefts, Canadian Police Report

Friday December 3, 2021 7:10 am PST by
Apple's AirTags are being used in an increasing number of targeted car thefts in Canada, according to local police. Outlined in a news release from York Regional Police, investigators have identified a new method being used by thieves to track down and steal high-end vehicles that takes advantage of the AirTag's location tracking capabilities. While the method of stealing the cars is largely ...
apple top apps games 2020

Apple Reveals the Most Downloaded iOS Apps and Games of 2021

Thursday December 2, 2021 12:05 am PST by
Along with naming its editorial picks for the top apps and games of 2021, Apple today shared charts for the most downloaded free and paid apps and games in the United States across 2021. The number one most downloaded free iPhone app was TikTok, followed by YouTube, Instagram, Snapchat, and Facebook. The top paid iPhone apps included Procreate Pocket, HotSchedules, The Wonder Weeks, and Touch...
m3 feature black

Macs With 'M3' Chips Expected to Use TSMC's 3nm Chip Technology With Test Production Reportedly Underway

Thursday December 2, 2021 7:36 am PST by
Apple's chipmaking partner TSMC has kicked off pilot production of chips built on its 3nm process, known as N3, according to Taiwanese supply chain publication DigiTimes. The report, citing unnamed industry sources, claims that TSMC will move the process to volume production by the fourth quarter of 2022 and start shipping 3nm chips to customers like Apple and Intel in the first quarter of...
telsa cyberwhistle

Elon Musk Urges Customers to Buy 'Tesla Cyberwhistle' Instead of Apple Polishing Cloth

Wednesday December 1, 2021 4:01 am PST by
Tesla CEO Elon Musk has encouraged customers to buy the "Cyberwhistle" for $50 instead of Apple's much-discussed Polishing Cloth. The product page, which Musk shared on Twitter on Tuesday evening, offers a limited edition stainless steel whistle with the same distinctive design of the Tesla Cybertruck:Inspired by Cybertruck, the limited-edition Cyberwhistle is a premium collectible made from ...
app store awards 2021

Apple Picks the 2021 App Store Award Winners, Highlighting the Best Apps of the Year

Thursday December 2, 2021 12:01 am PST by
Apple today shared its 2021 App Store Award winners, highlighting the 15 best apps and games selected by Apple's global App Store editorial team. The top apps were chosen for their quality, innovative technology, creative design, and positive cultural impact. "The developers who won App Store Awards in 2021 harnessed their own drive and vision to deliver the best apps and games of the year --...
MBA Mock White Front Blue

2022 MacBook Air Getting Major Display Upgrade With One Drawback

Friday December 3, 2021 3:01 am PST by
Apple's next-generation MacBook Air is reportedly set to bring over many of the new MacBook Pro's features, with one noticeable omission, according to recent reports. The latest MacBook Pro models feature a mini-LED "Liquid Retina XDR" display with deep blacks and support for up to 1,600 nits peak brightness. The display also features Apple's "ProMotion" technology, which is capable of...