AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

The AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an AirTag is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the AirTag owner enter a contact phone number or email address. Anyone who scans that AirTag is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The AirTag flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Related Forum: AirTags

Top Rated Comments

btrach144 Avatar
8 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
8 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
8 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
8 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
8 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
8 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)

Related Stories

f1618938547

Police Find Unexpected Use for Apple AirTags

Monday July 19, 2021 3:15 am PDT by
The utility of Apple's AirTag item trackers have started to be seen in law enforcement when locating stolen property, according to recent reports. As reported by GadgetLite, an AirTag user in Boston was able to recover their stolen property with the help of the police and Apple's small tracking device. Earlier this month, the user discovered that his bike had been stolen. Thankfully, he...
tagvault

ElevationLab Launches 'TagVault' AirTag Holder

Friday April 30, 2021 9:52 am PDT by
ElevationLab today debuted the TagVault, which is the most protective AirTag holder that we've seen to date. Priced at $12.95 for one or $29.95 for a pack of three, the TagVault is a two piece AirTag holder that screws together to offer total protection for an AirTag. The two halves come apart, the AirTag is situated in the middle, and then four screws hold the TagVault together....
AirTag is Linked to Apple ID Feature

Apple Announces AirTag Updates to Address Unwanted Tracking

Thursday February 10, 2022 9:58 am PST by
Apple today announced that it is making some updates to AirTags with the aim of cutting down on unwanted tracking. There are several changes that will be implemented in a multi-phase rollout. In an upcoming software update, Apple plans to implement new privacy warnings that will show up during AirTag setup to thwart malicious use. The warning will make it clear that the AirTag is linked to...
airtag 1

AirTag Anti-Stalking Measures 'Just Aren't Sufficient' Says Washington Post Report

Wednesday May 5, 2021 6:03 pm PDT by
The safeguards that Apple built into AirTags to prevent them from being used to track someone "just aren't sufficient," The Washington Post's Geoffrey Fowler said today in a report investigating how AirTags can be used for covert stalking. Fowler planted an AirTag on himself and teamed up with a colleague to be pretend stalked, and he came to the conclusion that the AirTags are a "new means...
AirTag and Lavender iPhone

Deals: AirTag 4-Pack Available for $89 on Amazon ($10 Off)

Tuesday March 22, 2022 5:44 am PDT by
Amazon today has Apple's AirTag 4-Pack for $89.00, down from $99.00. The accessory is shipped and sold directly by Amazon, and currently only Amazon is offering this sale on the AirTag. There is only a discount on the AirTag 4-Pack right now on Amazon, not on the 1-Pack option. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may ...
airtag in hand

Muscle Car Owner Targeted With Hidden AirTag Placed by Thieves

Tuesday December 21, 2021 9:02 am PST by
Michigan resident John Nelson claims that he was recently targeted by car thieves who hid one of Apple's AirTags in his vehicle, a 2018 Dodge Charger. According to a Fox 2 Detroit report, Nelson visited the Great Lakes Crossing shopping center in Auburn Hills, where he spent about two hours. After departing, he got a notification on his phone that informed him he was being tracked by an...
silent airtags with speakers removed

Sale of 'Silent AirTags' on eBay and Etsy Raises Privacy Concerns

Thursday February 3, 2022 8:08 am PST by
Apple AirTag tracking devices with deactivated speakers have been spotted on eBay and Etsy, raising privacy concerns about the risks of removing one of the AirTag's safeguards, PCMag reports. The modified AirTags, dubbed "Silent AirTags," have had their internal speaker removed so that they are no longer able to emit a sound to highlight their presence. The Silent AirTag looks identical to a ...
airtag in hand

New York Attorney General Issues AirTag Consumer Alert Over Stalking Concerns

Wednesday February 16, 2022 9:47 am PST by
Though Apple last week announced changes to AirTags that will likely help cut down on unwanted tracking, officials are starting to take notice of complaints. New York Attorney General Letitia James today sent out a consumer alert with "safety recommendations" to protect New Yorkers from AirTags (via The Mac Observer). Across the country, Apple AirTags are being misused to track people and...

Popular Stories

iOS 16 mock for article

Gurman: iOS 16 to Include New Ways of System Interaction and 'Fresh Apple Apps'

Sunday May 15, 2022 6:14 am PDT by
iOS 16 will include new ways of interacting with the system and some "fresh Apple apps," Bloomberg's Mark Gurman has said, offering some more detail on what Apple has in store for the upcoming release of iOS and iPadOS set to be announced in a few weeks at WWDC. In the latest edition of his Power On newsletter, Gurman wrote that while iOS 16 is not likely to introduce a major face-lift to...
maxresdefault

Unbox Therapy Shares Hands-On Look at iPhone 14 Pro Max Replica

Monday May 16, 2022 4:40 am PDT by
YouTuber Unbox Therapy has shared a hands-on look at the iPhone 14 Pro Max using what he claims is a one-to-one replica created by third-party case makers with access to detailed schematics and dimensions for Apple's new upcoming flagship smartphone. As with the iPhone 13 Pro lineup, in 2022, we are expecting a 6.1-inch iPhone 14 Pro and a 6.7-inch iPhone 14 Pro Max, but this time the Pro...
RIP iPod Feature

RIP iPod: A Look Back at Apple's Iconic Music Player Over the Years

Friday May 13, 2022 2:25 pm PDT by
Apple earlier this week announced the discontinuation of the iPod touch, and because it was the last iPod still available for purchase, its sunsetting effectively marks the end of the entire iPod lineup. To send the iPod on its way, we thought it would be fun to take a look back at some of the most notable iPod releases over the last 21 years. Original iPod (2001) Introduced in October...
macOS Monterey 2

Apple Releases macOS Monterey 12.4 With Support for Studio Display Webcam Update

Monday May 16, 2022 10:10 am PDT by
Apple today released macOS Monterey 12.4, the fourth major update to the macOS Monterey operating system that launched in October 2021. macOS Monterey 12.4 comes over two months after the launch of macOS Monterey 12.3, an update that added Universal Control. The ‌‌‌‌‌macOS Monterey‌‌ 12.4 update can be downloaded on all eligible Macs using the Software Update section of System...
iOS 15

Apple Releases iOS 15.5 and iPadOS 15.5 With Wallet and Podcast Updates

Monday May 16, 2022 10:00 am PDT by
Apple today released iOS 15.5 and iPadOS 15.5, the fifth major updates to the iOS and iPadOS 15 operating systems that were initially released in September 2021. iOS and iPadOS 15.5 come a little over two months after the launch of iOS 15.4 and iPadOS 15.4. The iOS 15.5 and iPadOS 15.5 updates can be downloaded for free and the software is available on all eligible devices over-the-air in...
airpodsprodesign

Kuo: AirPods, MagSafe Battery Pack, and Other Apple Accessories Also to Switch to USB-C in Future

Sunday May 15, 2022 5:59 am PDT by
Earlier this week, well-known Apple analyst Ming-Chi Kuo claimed that Apple plans to release at least one iPhone 15 model with a USB-C port in 2023. Now, in a follow-up tweet, he has claimed that accessories like AirPods, the MagSafe Battery Pack, and the Magic Keyboard/Mouse/Trackpad trio would also switch to USB-C in the "foreseeable future." Both the iPhone and all of the aforementioned...
apple tv 4k design green

Apple Releases tvOS 15.5 for Apple TV HD and Apple TV 4K

Monday May 16, 2022 9:57 am PDT by
Apple today released tvOS 15.5, the fifth major update to the tvOS operating system that first launched in September 2021. tvOS 15.5 comes more than two months after the release of tvOS 15.4, an update that brought support for captive WiFi networks. tvOS 15.5 can be downloaded over the air on the Apple TV through the Settings app by going to System > Software Update. ‌‌‌‌‌‌Apple...