AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites - MacRumors
Skip to Content

AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

by

The AirTag feature that allows anyone with a smartphone to scan a lost ‌AirTag‌ to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an ‌AirTag‌ is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the ‌AirTag‌ owner enter a contact phone number or email address. Anyone who scans that ‌AirTag‌ is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an ‌AirTag‌ can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an ‌AirTag‌'s information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The ‌AirTag‌ flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Related Roundup: AirTag
Buyer's Guide: AirTag (Buy Now)

Popular Stories

Second Generation AirTag Feature

Apple Launched AirTag 5 Years Ago Today

Thursday April 30, 2026 5:51 am PDT by
Apple's AirTag item tracker turns five years old today, with the $29 accessory having spent half a decade as the best-selling item tracker in the world. The AirTag launched on April 30, 2021, alongside the M1 iMac, a new iPad Pro, and a new Apple TV 4K. The coin-shaped accessory has a polished stainless steel back, IP67 water resistance, and a U1 Ultra Wideband chip that powers Precision...
Read Full Article30 comments
Second Generation AirTag Feature Purple

Apple Faces Dozens of Lawsuits Over AirTag Stalking After Class Action Denied

Friday May 1, 2026 2:39 pm PDT by
Apple is facing over 30 lawsuits from people who claim to have been stalked using Apple AirTags. The filings come after an AirTag lawsuit from 2022 (Hughes v. Apple) failed to get class certification. In each filing, Apple is accused of releasing the AirTag while being aware that it could be "purchased and used by abusive, dangerous individuals, to track, coerce, control, and otherwise...
Read Full Article88 comments
iOS 27 on iPhone 17 1

iOS 27 Will Add These New Features to Your iPhone

Saturday May 2, 2026 8:43 am PDT by
Apple is expected to unveil iOS 27 during its WWDC 2026 keynote on June 8, and there are already many rumored features and changes for iPhones. The first developer beta of iOS 27 will likely be available immediately following the keynote, and a public beta typically follows in July. Following beta testing, the software update should be released to all users with a compatible iPhone in...
Read Full Article89 comments

Top Rated Comments

btrach144 Avatar
btrach144
60 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
F
funandblindness
60 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
Naraxus
60 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
A
Altivec88
60 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
red elma Avatar
red elma
60 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)
SpaceN64 Avatar
SpaceN64
60 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
Read All Comments