This Apple “AirTag” Vulnerability could be harvesting your credentials
During late September, the headlines were hit with the news of a vulnerability within Apple’s AirTag. Targeting good Samaritans and the curious by using Cross-Site Scripting (XSS), the vulnerability allows malicious actors to steal iCloud credentials and gain access to a victims account. We’re unaware if Apple has patched this vulnerability yet, and it seems like it swept underneath the rug on this occasion.
But, what even is an AirTag? If you’ve heard of a “Tile” before, then it’s essentially Apple’s version of that.
If not, it’s a geolocation tracking device that allows users to find their valuables, given that the device is attached or located with it. You could add it to your keyring or put it in your car, but using Apple’s “Find My” app within iOS and macOS devices, end-users can locate their devices wherever they are in the world for as little as £29.
You might be asking: “what happens if I lose an AirTag and can’t see it on the ‘Find My’ app?” Fortunately, you won’t be out of luck just yet. A feature called “Lost Mode” allows an AirTag to have a final swansong and when recovered. It retrieves information about the owner, allowing the finder to contact them and (hopefully) retrieve their lost belongings. The lost AirTag page allows its owner to insert any information to help the person who found the device and belongings return them to the rightful owner.
Sadly due to the world that we live in, malicious actors have discovered a way to inject arbitrary code into the mobile phone number section of the “Lost Mode” configuration page. Users are redirected to a spoofed phishing login page, which captures the credentials of the victim attempting to rehome the device with its owner.
So, how can you avoid falling victim? Normally upon scanning the lost AirTag, you’ll be met with a page like this:
A sample “Lost Mode” message. Image: Medium @bobbyrsec
In an ideal world, this page will provide you with all the information that you need to get in contact with the owner of the lost phone. If you see a page similar to the above, then proceed as usual.
However, at the time of writing this article, should you find that you are redirected to a page that looks like a login page, then you have not landed yourself in the right place. It is best to assume that the device you’ve found is a credential harvesting device and not a lost AirTag.
To find out more about our security solutions and E-learning courses to help you stay safe online, get in touch!