Apple Fails to Sanitize Phone Number Field for Lost AirTags

Share post:

Security expert Bobby Rauch has publicly disclosed a vulnerability in Apple’s AirTags which gives attackers the privilege to drop a maliciously prepared AirTag.

According to Rauch, Apple’s AirTag is not able to sanitize user input, because while an attacker only needs to enter valid XSS in the field of the AirTag phone number, put the AirTag into Lost Mode and place it in a location where the target can find it, scanning a lost AirTag allows the website “Found. apple.com” to embed the contents of the phone number field in the website as it appears in the victim’s browser.

For Rauch, one prominent way to exploit the vulnerability is to open a fake iCloud login dialog on the victim’s phone with a simple XSS.

As soon as the website embeds the XXS in the response for a scanned AirTag, the victim receives a pop-up window displaying the contents of badside.tld/page.html which could be a zero-day exploit.

While Rauch first reported the vulnerability to Apple and asked when it would be fixed, the company has been saying for three months that it is investigating the issue that led Rauch to make the vulnerability public.

For more information, read the original story in Arstechnica.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL...

This episode reports on a US$10 million reward for a ransomware gang, a new Linux version of a backdoor

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways