Apple AirTags are vulnerable to stored XSS injection attacks

Cal Jeffrey

Posts: 3,454   +1,032
Staff member
PSA: Be warned: Apple AirTags are currently vulnerable to stored cross-site scripting (XSS) attacks. Among the various XSS exploits possible is a simple site redirect. If you find an AirTag and are asked to log in to iCloud to alert the owner, you have found a "weaponized" tag. Do not enter your credentials! No login is necessary to report you have found an AirTag.

A security researcher has discovered that Apple's AirTags are vulnerable to XSS code injection attacks. An Attacker simply has to enter the malicious code into the phone number field before placing the fob into Lost mode, then leave it somewhere for an unsuspecting victim to find.

When the good samaritan finds the AirTag and scans it to report it as found, the code can redirect the victim to a cloned iCloud login page that records the user's credentials with a keylogger. It can then direct back to the actual Apple Found website, which does not require a login, and the reporting process can continue as normal.

Bobby Rauch, a security consultant based out of Boston, discovered the zero-day flaw in June. He notified Apple of the vulnerability and gave them the standard 90 days before disclosing it to the public. During his wait, Apple never contacted him about whether a fix was on the way, nor if he would be credited and awarded a bug bounty.

After going public, Apple confirmed the security hole and told 9to5Mac that it was working on a fix. However, it did not have a timeframe as to when a patch would be available.

In addition to redirecting victims to a phishing website, Rauch said other types of injections were possible, including session token hijacking, clickjacking, and more.

"An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag," he wrote.

An example of how the redirect attack works can be seen in the video above. A savvy user might notice the domain changes from "found.apple.com" to "10.0.1.137," but an average person might not even notice anything suspicious. The attacker could also use a domain name that would be easily overlooked.

The most potent mitigation for this exploit is knowledge. Users should know that to report a found AirTag, no login is required. However, that does not eliminate the risks of falling victim to other types of injection.

Permalink to story.