The AirTag function that enables anybody with a smartphone to scan a misplaced AirTag to find the contact info of the proprietor may be abused for phishing scams, in line with a brand new report shared by KrebsOnSecurity.
When an AirTag is about in Misplaced Mode, it generates a URL for https://discovered.apple.com and it lets the AirTag proprietor enter a contact telephone quantity or electronic mail deal with. Anybody who scans that AirTag is then directed mechanically to the URL with the proprietor’s contact info, with no login or private info required to view the offered contact particulars.
In response to KrebsOnSecurity, Misplaced Mode doesn’t forestall customers from injecting arbitrary pc code into the telephone quantity discipline, so an individual who scans an AirTag may be redirected to a phony iCloud login web page or one other malicious web site. Somebody who doesn’t know that no private info is required to view an AirTag’s info might then be tricked into offering their iCloud login or different private particulars, or the redirect might try to obtain malicious software program.
The AirTag flaw was discovered by safety marketing consultant Bobby Raunch, who informed KrebsOnSecurity that the vulnerability makes AirTags harmful. “I can not bear in mind one other occasion the place these kind of small consumer-grade monitoring gadgets at a low-cost like this might be weaponized,” he mentioned.
Rauch contacted Apple on June 20, and Apple took a number of months to research. Apple informed Rauch final Thursday that it might deal with the weak point in an upcoming replace, and requested him to not discuss it in public.
Apple didn’t reply his questions on whether or not he would obtain credit score or whether or not he certified for the bug bounty program, so he determined to share particulars on the vulnerability due to Apple’s lack of communication.
“I informed them, ‘I am keen to work with you when you can present some particulars of if you plan on remediating this, and whether or not there could be any recognition or bug bounty payout’,” Rauch mentioned, noting that he informed Apple he deliberate to publish his findings inside 90 days of notifying them. “Their response was principally, ‘We would recognize it when you did not leak this.'”
Final week, safety researcher Denis Tokarev made a number of zero-day iOS vulnerabilities public after Apple ignored his reviews and failed to repair the problems for a number of months. Apple has since apologized, however the firm is constant to obtain criticism for its bug bounty program and the slowness with which it responds to reviews.