A Simple Bug Is Leaving AirTag Users Vulnerable to an Attack

Apple's bug-bounty software continues to be hit with hits. Security researchers claim that it is slow and inconsistent in responding to vulnerability reports.
Ars Technica. This article originally appeared on Ars Technica. It is a trusted source of technology news, analysis, reviews and other information. Cond Nast, WIRED's parent company owns Ars.

The vuln du jour this time is caused by failure to clean a user input field. This includes the phone number field AirTag owners use for identification of their lost devices.

Bobby Rauch, a security consultant and penetration tester, discovered that Apple's AirTagstiny device, which can be attached to often lost items such as phones, laptops, and keys, doesn't clean up user input. AirTags can be used to launch a drop attack thanks to this oversight. An attacker can drop maliciously prepared AirTags instead of infecting the target's car with USB drives containing malware.

This type of attack does not require any technical know-how. The attacker simply enters valid XSS into an AirTag's number field and then places the AirTag in Lost mode. Finally, the attacker drops the AirTag where the target will find it. In theory, scanning a lost AirTag is a safe actionit's only supposed to pop up a webpage at https://found.apple.com/. Problem is that found.apple.com embeds the contents in the website's phone number field, as it appears on victim's browser.

Rauch says that the easiest way to exploit this vulnerability is to use simple XSS on the victim's device to create a fake iCloud login dialogue. This is very simple in terms of code.

If found.apple.com innocently embeds the XSS above into the response for a scanned AirTag, the victim gets a popup window which displays the contents of badside.tld/page.html. This could be a browser zero-day vulnerability or phishing dialog. Rauch suggests a fake iCloud login dialog that can look exactly like the real thing but which dumps the victim’s Apple credentials onto its server.

This is an interesting exploit, but it is not the only one. You can do almost anything with a website. This includes simple phishing, as shown in the previous example, and exposing the victim's smartphone to a zero-day browser vulnerability.

Rauch's Medium public disclosure provides more technical details and simple videos that demonstrate the vulnerability as well as the network activity that was triggered by Rauch's exploit.

Apple has made this public disclosure available to you

Krebs on Security reports Rauch has made the disclosure public due to Apple's communication failures. This is a common refrain.

Rauch stated to Krebs that he first disclosed the vulnerability to Apple privately on June 20th, but that for three months, all that the company would tell Rauch was that it was "still investigation." This seems odd for a bug that is very simple to fix and verify. Apple sent Rauch an email last Thursday to inform him that the vulnerability would be fixed in a forthcoming update. It also asked for anonymity.

Apple did not respond to basic questions Rauch posed, including whether there was a timeframe for fixing the bug, if it intended to credit Rauch for his report and if it would be eligible for a bounty. Rauch posted his findings on Medium due to the lack of communication from Cupertino.

Rauch indicated his willingness to work with Apple, but asked that the company "provide details about when you plan to remediate this, and whether or not there would be any recognition of this or a bug bounty payout." Rauch also informed Apple that he would publish the information in 90 days. Rauch claims that Apple responded "basically, it'd be appreciated if you didn’t leak this."

Apple has been contacted for comment.

This story first appeared on Ars Technica.

Here are more great WIRED stories