AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

by

The AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an AirTag is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the AirTag owner enter a contact phone number or email address. Anyone who scans that AirTag is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The AirTag flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Tag: AirTags Guide
Related Forum: AirTags

Top Rated Comments

btrach144 Avatar
btrach144
13 months ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
funandblindness
13 months ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
Naraxus
13 months ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
Altivec88
13 months ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
SpaceN64
13 months ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
red elma
13 months ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)
Read All Comments

Related Stories

f1618938547

Police Find Unexpected Use for Apple AirTags

Monday July 19, 2021 3:15 am PDT by
The utility of Apple's AirTag item trackers have started to be seen in law enforcement when locating stolen property, according to recent reports. As reported by GadgetLite, an AirTag user in Boston was able to recover their stolen property with the help of the police and Apple's small tracking device. Earlier this month, the user discovered that his bike had been stolen. Thankfully, he...
Read Full Article
tagvault

ElevationLab Launches 'TagVault' AirTag Holder

Friday April 30, 2021 9:52 am PDT by
ElevationLab today debuted the TagVault, which is the most protective AirTag holder that we've seen to date. Priced at $12.95 for one or $29.95 for a pack of three, the TagVault is a two piece AirTag holder that screws together to offer total protection for an AirTag. The two halves come apart, the AirTag is situated in the middle, and then four screws hold the TagVault together....
Read Full Article174 comments
AirTag is Linked to Apple ID Feature

Apple Announces AirTag Updates to Address Unwanted Tracking

Thursday February 10, 2022 9:58 am PST by
Apple today announced that it is making some updates to AirTags with the aim of cutting down on unwanted tracking. There are several changes that will be implemented in a multi-phase rollout. In an upcoming software update, Apple plans to implement new privacy warnings that will show up during AirTag setup to thwart malicious use. The warning will make it clear that the AirTag is linked to...
Read Full Article229 comments
airtag 1

AirTag Anti-Stalking Measures 'Just Aren't Sufficient' Says Washington Post Report

Wednesday May 5, 2021 6:03 pm PDT by
The safeguards that Apple built into AirTags to prevent them from being used to track someone "just aren't sufficient," The Washington Post's Geoffrey Fowler said today in a report investigating how AirTags can be used for covert stalking. Fowler planted an AirTag on himself and teamed up with a colleague to be pretend stalked, and he came to the conclusion that the AirTags are a "new means...
Read Full Article421 comments
AirTag and Lavender iPhone

Deals: AirTag 4-Pack Available for $89 on Amazon ($10 Off)

Tuesday March 22, 2022 5:44 am PDT by
Amazon today has Apple's AirTag 4-Pack for $89.00, down from $99.00. The accessory is shipped and sold directly by Amazon, and currently only Amazon is offering this sale on the AirTag. There is only a discount on the AirTag 4-Pack right now on Amazon, not on the 1-Pack option. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may ...
Read Full Article30 comments
airtag in hand

Muscle Car Owner Targeted With Hidden AirTag Placed by Thieves

Tuesday December 21, 2021 9:02 am PST by
Michigan resident John Nelson claims that he was recently targeted by car thieves who hid one of Apple's AirTags in his vehicle, a 2018 Dodge Charger. According to a Fox 2 Detroit report, Nelson visited the Great Lakes Crossing shopping center in Auburn Hills, where he spent about two hours. After departing, he got a notification on his phone that informed him he was being tracked by an...
Read Full Article301 comments
silent airtags with speakers removed

Sale of 'Silent AirTags' on eBay and Etsy Raises Privacy Concerns

Thursday February 3, 2022 8:08 am PST by
Apple AirTag tracking devices with deactivated speakers have been spotted on eBay and Etsy, raising privacy concerns about the risks of removing one of the AirTag's safeguards, PCMag reports. The modified AirTags, dubbed "Silent AirTags," have had their internal speaker removed so that they are no longer able to emit a sound to highlight their presence. The Silent AirTag looks identical to a ...
Read Full Article182 comments
airtag in hand

New York Attorney General Issues AirTag Consumer Alert Over Stalking Concerns

Wednesday February 16, 2022 9:47 am PST by
Though Apple last week announced changes to AirTags that will likely help cut down on unwanted tracking, officials are starting to take notice of complaints. New York Attorney General Letitia James today sent out a consumer alert with "safety recommendations" to protect New Yorkers from AirTags (via The Mac Observer). Across the country, Apple AirTags are being misused to track people and...
Read Full Article126 comments

Popular Stories

USB C Over Lightning Feature

EU Passes Law to Switch iPhone to USB-C by End of 2024

Tuesday October 4, 2022 3:30 am PDT by
The European Parliament today voted overwhelmingly in favor of enforcing USB-C as a common charging port across a wide range of consumer electronic devices, including the iPhone and AirPods, by the end of 2024. The proposal, known as a directive, forces all consumer electronics manufacturers who sell their products in Europe to ensure that a wide range of devices feature a USB-C port. This...
Read Full Article360 comments
General iOS 16 Feature Yellow

10 New iOS 16 Features Coming Later This Year

Monday October 3, 2022 2:41 pm PDT by
iOS 16 was released to the public three weeks ago with a customizable Lock Screen, the ability to edit iMessages, improvements to Focus modes, and much more. And in the coming months, iPhone and iPad users have even more new features to look forward to. We've rounded up 10 new features coming to the iPhone and iPad later this year, according to Apple. Many of the features are part of iOS...
Read Full Article90 comments
ipad pro m1 feature

Gurman: Apple Event This October Remains Unlikely, No Touch ID for iPhone 15

Sunday October 2, 2022 6:41 am PDT by
Apple is developing new iPad Pro, Mac, and Apple TV models, and at least some of these products will be released in October, according to Bloomberg's Mark Gurman. However, Gurman continues to believe that Apple is unlikely to hold an event this month. In the latest edition of his Power On newsletter, Gurman said "the big iPhone 14 unveiling last month was probably it for Apple in 2022 in...
Read Full Article189 comments
iOS 16

Apple Preparing iOS 16.0.3 With More Bug Fixes Following iPhone 14 Launch

Monday October 3, 2022 7:53 am PDT by
iOS 16.0.2 was released last month with several bug fixes for iPhone 14 issues, excessive copy and paste permission prompts, and more. Now, evidence suggests that Apple is planning to release iOS 16.0.3 with additional bug fixes. Evidence of an upcoming iOS 16.0.3 software update has shown up in MacRumors analytics logs, which have been a reliable indicator in the past. There are several...
Read Full Article105 comments
Apple SIM Card

Apple SIM No Longer Available for Activating New Cellular Data Plans on iPads

Sunday October 2, 2022 8:04 am PDT by
As of October 1, Apple SIM is no longer available for activating new cellular data plans on supported iPad models, according to an Apple support document. Introduced in 2014, the Apple SIM was designed to allow iPad users to activate cellular data plans from multiple carriers around the world. Initially, the Apple SIM was a physical nano-SIM card, but it was embedded inside later iPad Pro...
Read Full Article63 comments
maxresdefault

Video: AirPods Pro 2 vs. Bose QuietComfort II

Monday October 3, 2022 12:50 pm PDT by
Apple on September 23 officially launched the second-generation version of the AirPods Pro, introducing updated Active Noise Cancellation, Adaptive Transparency, improved sound, and more. Right around the same time, Bose introduced new QuietComfort II earbuds with many similar features, so we thought we'd compare the two to see which has the edge. Subscribe to the MacRumors YouTube channel for ...
Read Full Article88 comments
General YouTube Feature 1

You May Soon Need to Be a YouTube Premium Subscriber to Watch 4K Videos

Monday October 3, 2022 4:29 am PDT by
YouTube may make watching videos in 4K quality on the platform exclusive to only YouTube Premium subscribers, according to screenshots posted by users on Twitter and Reddit. On Reddit (1,2) and Twitter, some users have started to recently notice that on iOS, and presumably across other platforms also, YouTube is now saying that in order to watch videos in 4K, the user must be a paying...
Read Full Article272 comments
dynamic island alan dye

Apple Executives Talk About iPhone 14 Pro's Dynamic Island in New Interview

Sunday October 2, 2022 10:48 am PDT by
In a new interview, Apple's senior vice president of software engineering, Craig Federighi, and Apple's vice president of human interface design, Alan Dye, sat down to discuss the thinking behind the iPhone 14 Pro's Dynamic Island and how it was developed. During the interview with the Japanese magazine Axis, Federighi, who oversees the development of iOS, said Dynamic Island represents the...
Read Full Article184 comments