Security research Bobby Raunch has discovered an AirTag exploit that allows zero-day hijacking and other forms of attack simply by injecting stored XSS code to steal unsuspected victims’ Apple ID and password.
Raunch found the vulnerability in June this year and reported it to Apple. After Apple failed to fix the flaw in 90-days and give him a time when it will be patched and his bug bounty status, the researcher publicly disclosed his findings. The 90-days period is a standard duration in the security field to give the company time to fix the flaw and credit the researcher.
This week alone, Ranch is the second researcher who has shared frustration with Apple’s bug bounty program. Denis Tokarev publically disclosed three iOS 15 zero-day vulnerabilities he found between March and May. Like before, when the researcher went public, Apple said a fix is on the way but did not mention when.
An AirTag can be weaponized to hijack iCloud credentials
Apple allows AirTag users to mark their lost trackers via Lost Mode which creates a unique found page for the tracker with its serial number, the phone number of the owner, and a personal message by the owner for the person who finds it.
When a person finds a missing AirTag and scans with an iPhone and Android smartphone, the unique found page for the tracker opens on their device. Raunch has found that attackers can use this unique found page to obtain the unsuspected person’s Apple ID or iCloud credentials by directing to a fake website to log in their ID and password.
An attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field. A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page.
He also adds that he has mentioned just one way an XSS exploit can be carried out, there are numerous ways an XSS exploit can be used like clickjacking, token hijacking, and others. Attackers can even create a weaponized AirTag and leave them purposely to be found by innocent victims who only wish to return the lost tracker to its owner.
There are countless ways an attacker could victimize an end user who discovers a lost Airtag. Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all. The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support “Lost Mode” as part of Apple’s Find My network.
If this sounds like a hypothetical situation where a person can be fooled to share credentials, it’s not. Recently, scammers used Apple’s iPhone 13 event to steal $69,000 worth of Bitcoins from Apple fans who only wanted to see the new iPhone. Attackers use the system’s vulnerabilities and people’s naivety to commit fraud. Kindly beware when sharing personal information online or with anyone else.