Apple AirTags are vulnerable to stored XSS injection attacks
Message of public interest : Be warned: Apple AirTags are currently vulnerable to Stored Cross-Site Scripting (XSS) attacks. Among the various possible XSS exploits is a simple site redirection. If you find an AirTag and are prompted to sign in to iCloud to alert the owner, you’ve found an “armed” tag. Do not enter your identifiers! No login is required to report that you have found an AirTag.
A security researcher has discovered that Apple AirTags are vulnerable to XSS code injection attacks. An attacker simply needs to enter the malicious code into the phone number field before placing the keychain in Lost Mode, and then leave it somewhere for an unsuspecting victim to find it.
When the Good Samaritan finds the AirTag and scans it to report it as found, the code can redirect the victim to a cloned iCloud login page that records the user’s credentials with a keylogger. It can then be redirected to the Apple Found website, which does not require a login, and the reporting process can continue as normal.
Bobby Rauch, Boston-based security consultant, discovered the zero-day flaw in June. He informed Apple about the vulnerability and gave them the standard 90-day deadline before disclosing it to the public. While he waited, Apple never contacted him to find out if a fix was in progress, or if he would be credited and rewarded with a bug bounty.
After going public, Apple confirmed the security breach and told 9to5Mac that it was job on a fix. However, there was no timeframe as to when a fix would be available.
In addition to redirecting victims to a phishing website, Rauch said other types of injections are possible, including session token hijacking, click hijacking, and more.
“An attacker can create armed Airtags and leave them there, victimizing innocent people who are just trying to help someone find their lost Airtag,” he wrote.
An example of how the redirect attack works can be seen in the video above. A smart user may notice that the domain changes from “found.apple.com” to “10.0.1.137”, but an average person may not even notice anything suspicious. The attacker could also use a domain name that would be easily ignored.
The most powerful mitigation for this feat is knowledge. Users should be aware that to report a found AirTag, no login is required. However, this does not eliminate the risk of being a victim of other types of injection.