Security researcher Bobby Rauch found that AirTags, which Apple advertises as a convenient solution for tracking personal belongings (for example, laptops, phones, car keys, backpacks, etc.), are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was disappointed in Apple’s bug bounty program.
The root of the vulnerability lies in the fact that when an AirTag user turns on “lost mode”, that is, he cannot find his item, he can add his phone number and a custom message that will be displayed to anyone who finds and scans the AirTag using any device with NFC support.
Rauch noticed that the unique page created on found.apple.com for each AirTag is prone to stored XSS and the issue could be exploited by inserting malicious data into the phone number field.
The researcher describes the following attack scenario: an attacker turns on the “loss mode” for his own AirTag and intercepts the request associated with this operation. Then it enters malicious data into the phone number field. After that, the attacker can only drop the AirTag device in the place where his target (or a bystander, if the attack is opportunistic) will find the key fob and scan it. After scanning such an AirTag, a malicious payload will be launched immediately.
Rauch demonstrated such an attack by injecting a payload that redirects the victim to a phishing page that mimics iCloud. Since this is an Apple product, the iCloud login page may not raise suspicion from the victim, although, in fact, no credentials need to be provided when scanning the found AirTag.
In a similar way, a criminal can lure his victim to any other site, including one that distributes malware, or create another payload, which, for example. will intercept session tokens and clicks.

Rauch also notes that it is possible to use a malicious link to found.apple.com on its own by sending it directly to your target. In this case, the payload will be launched after accessing the link, and there will not even be a need to scan the AirTag.
Rauch told the well-known cybersecurity journalist Brian Krebs that he notified Apple about the problem on June 20, 2021, but the company reacted very slowly, constantly sending replies that specialists were studying the bug. Apple also refused to answer the expert’s questions about the possible reward for the detected error. As a result, Rauch was completely disappointed in Apple’s bug bounty and decided to publish the details of the vulnerability in the public domain.
Let me remind you that recently another information security specialist revealed the details of bypassing the lock screen in iOS, and also wrote that this is a kind of revenge by Apple for the fact that earlier in 2021 the company downplayed the significance of similar problems of bypassing the lock screen, which he reported. Soon after, a researcher known as Illusion of Chaos published on Habré a detailed description and exploits for three 0-day vulnerabilities in iOS. He explained that he had reported these issues to Apple at the beginning of the year, but the company has never released any patches.
The Washington Post devoted a long article to this problem, in which many cybersecurity specialists talked about the same problems and argued that the company left their bug reports unattended for months, released ineffective patches, underestimated the size of rewards and generally prohibited researchers from participating in the bug bounty further if they started to complain.
Catch up on more stories here
Follow us on Facebook here