AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

The AirTag feature that allows anyone with a smartphone to scan a lost ‌AirTag‌ to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an ‌AirTag‌ is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the ‌AirTag‌ owner enter a contact phone number or email address. Anyone who scans that ‌AirTag‌ is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an ‌AirTag‌ can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an ‌AirTag‌'s information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The ‌AirTag‌ flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Popular Stories

iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17: What's New With the Cameras

Friday May 2, 2025 3:52 pm PDT by
We've still got months to go before the new iPhone 17 models come out, but a combination of dummy models and leaks have given us some insight into what we can expect in terms of camera changes. Apple is adding new camera features, and changing the design of the camera bump for some models. You might be skeptical of dummy models, but over the years, they've proven to be a highly accurate...
iphone 17 air iphone 16 pro

iPhone 17 Air USB-C Port May Have This Unusual Design Quirk

Wednesday April 30, 2025 3:59 am PDT by
Apple is preparing to launch a dramatically thinner iPhone this September, and if recent leaks are anything to go by, the so-called iPhone 17 Air could boast one of the most radical design shifts in recent years. iPhone 17 Air dummy model alongside iPhone 16 Pro (credit: AppleTrack) At just 5.5mm thick (excluding a slightly raised camera bump), the 6.6-inch iPhone 17 Air is expected to become ...
AirPods Pro 3 Mock Feature

AirPods Pro 3 Just Months Away – Here's What We Know

Tuesday April 29, 2025 1:30 am PDT by
Despite being more than two years old, Apple's AirPods Pro 2 still dominate the premium wireless‑earbud space, thanks to a potent mix of top‑tier audio, class‑leading noise cancellation, and Apple's habit of delivering major new features through software updates. With AirPods Pro 3 widely expected to arrive in 2025, prospective buyers now face a familiar dilemma: snap up the proven...
iOS App Store General Feature JoeBlue

Epic Games Wins Major Victory as Apple is Ordered to Comply With App Store Anti-Steering Injunction [Updated]

Wednesday April 30, 2025 4:01 pm PDT by
In a victory for Epic Games, Apple was today found to be in violation of a 2021 injunction that required it to allow developers to direct customers to third-party purchase options on the web using in-app links. Judge Yvonne Gonzalez Rogers, who has been handling the Apple vs. Epic Games dispute for the last five years, said that Apple is in "willful violation" of the injunction she issued to ...
iphone 16 pro ghost hand

iPhone 18 Rumors: What to Expect From Apple Next Year

Friday May 2, 2025 3:01 am PDT by
Apple's is continually working with suppliers on successive iPhone models simultaneously, which is why we often get rumored features so far ahead of launch. The iPhone 18 series is no different, and we already have a picture forming of what to expect from Apple's 2026 smartphone lineup. If you're skipping this year's upcoming iPhone 17 series, or just plain curious about Apple's plans...
General Spotify Feature

Spotify Submits iOS App Update With Out-of-App Purchase Options

Thursday May 1, 2025 3:37 pm PDT by
Spotify today submitted an app update to Apple that will include information on Spotify plan costs and options to subscribe through weblinks without using the in-app purchase system. Spotify will not need to pay a fee to Apple when customers subscribe to the service using alternate payment methods in the Spotify app. In a blog post announcing the changes, Spotify said that yesterday's ruling ...
iphone 16 display

iPhone 17's Scratch Resistant Anti-Reflective Display Coating Canceled

Monday April 28, 2025 12:48 pm PDT by
Apple may have canceled the super scratch resistant anti-reflective display coating that it planned to use for the iPhone 17 Pro models, according to a source with reliable information that spoke to MacRumors. Last spring, Weibo leaker Instant Digital suggested Apple was working on a new anti-reflective display layer that was more scratch resistant than the Ceramic Shield. We haven't heard...
iOS 19

Apple Already Testing iOS 19.4 After Delaying Personalized Siri Features

Thursday May 1, 2025 9:03 am PDT by
A subset of Apple's software engineers started internal development of iOS 19.4 last month, according to the MacRumors visitor logs. iOS 19.4 is expected to be released in March or April next year, so the software update is still nearly a year away. However, Apple develops both "Fall" and "Spring" versions of iOS each year, with our website's analytics logs indicating that both iOS 19.0 and...

Top Rated Comments

btrach144 Avatar
47 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
47 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
47 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
47 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
47 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
47 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)