Security researcher Bobby Rauch discovered a vulnerability in AirTag key fobs, which Apple advertises as a convenient solution for tracking personal belongings (for example, laptops, phones, car keys, backpacks, and so on).Gadgets are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was disappointed in Apple’s bug bounty program.
The root of the vulnerability lies in the fact that when an AirTag user turns on “lost mode”, that is, he cannot find his item, he can add his phone number and a custom message that will be displayed to anyone who finds and scans the AirTag using any device with NFC support.
Rauch noticed that the unique page created on found.apple.com for each AirTag is prone to stored XSS and the problem could be exploited by inserting malicious data into the phone number field.
The researcher describes the following attack scenario: an attacker turns on the “loss mode” for his own AirTag and intercepts the request associated with this operation. Then he enters malicious data into the phone number field.
After that, the attacker can only drop the AirTag device in the place where his target (or a bystander, if the attack is opportunistic) will find the key fob and scan it. After scanning such an AirTag, a malicious payload will be launched immediately.
Rauch demonstrated such an attack by injecting a payload that redirects the victim to a phishing page that mimics iCloud. Since we are talking about an Apple product, the iCloud login page may not raise suspicion from the victim, although, in fact, no credentials need to be provided when scanning the found AirTag.
In a similar way, a criminal can lure his victim to any other site, including one that distributes malware, or create another payload, which, for example. will intercept session tokens and clicks.
Rauch also notes that it is possible to use a malicious link to found.apple.com on its own by sending it directly to your target. In this case, the payload will be launched after accessing the link, and there will not even be a need to scan the AirTag.
Rauch told the well-known cybersecurity journalist Brian Krebs that he notified Apple of the problem on June 20, 2021, but the company reacted very slowly, constantly sending replies that specialists were studying the bug. Apple also refused to answer the expert’s questions about the possible reward for the detected error. As a result, Rauch was completely disappointed in Apple’s bug bounty and decided to publish the details of the vulnerability in the public domain.
Let me remind you that recently another information security specialist disclosed the details of bypassing the lock screen in iOS, and also wrote that this is a kind of revenge to Apple for the fact that earlier in 2021 the company downplayed the significance of similar problems of bypassing the lock screen, which he reported. Shortly thereafter, a researcher known by the nickname Illusion of Chaos published detailed descriptions and exploits for three 0-day vulnerabilities in iOS. He explained that he had reported these issues to Apple at the beginning of the year, but the company has never released any patches.
The Washington Post devoted a long article to this problem, in which many cybersecurity specialists talked about the same problems and argued that the company has never left their bug reports unattended for months, released ineffective patches, understated the size of rewards and generally prohibited researchers from participating in the bug bounty further, if they started to complain.
Let me also remind you that I wrote that Experts showed fraudulent payments from a locked iPhone with Apple Pay and a Visa card.