A Simple Bug Leaves AirTag Users Troubled by an Attack
The hits continue arrival of Apple’s bug-bounty program, which security researchers say is slow and inconsistent in responding to reports of its vulnerability.
This time, the buln of the day due to failure to clean up a user input field – especially the phone number field AirTag owners use to identify their missing devices.
Security consultant and penetration tester Bobby Rauch discovered that Apple AirTags—Small devices that can be attached to frequently lost items such as laptops, phones, or car keys – do not clear user input. This management will open the door for AirTags to be used in a drop attack. Instead of scattering parking on a target with USB drives loaded malware, an attacker can drop a maliciously prepared AirTag.
This type of attack does not require much knowledge of technology-the attacker simply types valid XSS in the AirTag phone number field, then puts the AirTag in Lost mode and drops it somewhere it may be found on target. In theory, scanning the missing AirTag is a safe action-it should just pop up a webpage at https://found.apple.com/. The problem is that found.apple.com after inserting the content in the phone number field on the website as shown by the victim’s browser, is not clean.
The most obvious way to take advantage of this vulnerability, Rauch reports, is to use simple XSS to pop up a fake iCloud login dialog on the victim’s phone. It doesn’t require much of a code approach.
If found.apple.com innocently inserts XSS at the height of the response for a scanned AirTag, the victim gets a popup window displaying the contents of badside.tld / page.html. It could be a zero-day exploit for the browser or simply a phishing dialog. Rauch imagines a fake iCloud login dialogue, which may look similar to the real thing-but where Apple’s credentials are dropped on the victim’s server on the target server.
Even if it’s a compelling exploit, it’s definitely not one that works – anything you can do on a webpage is on the table and usable. This ranges from simple phishing as seen in the long example to exposing the victim’s phone to a zero-day no-click browser FRAILTY.
The more technical detail – and the simple videos shown both the vulnerability, and the network activity generated by Rauch’s exploitation of the vulnerability – are available to the public at Rauch. Manifestation in Medium.
This Public Disclosure is Brought to You by Apple
Rauch told Krebs that he first disclosed Apple’s privacy vulnerability on June 20, but within three months everyone told him the company was “still investigating.” This is a different answer for what appears to be a much simpler bug to verify and minimize. Last Thursday, Apple emailed Rauch to say the vulnerability would be addressed in a future update, and he asked that he not discuss it publicly at this time.
Apple never answered the main questions Rauch asked, such as whether it had a timeline for fixing the bug, whether it was planned to give him credit for the report, and if it qualify for a gift. The lack of communication from Cupertino was what prompted Rauch to go public in Medium, despite the fact that Apple has asked researchers to remain silent about their findings if they want credit and / or compensation for their work.
Rauch expressed a willingness to work with Apple but asked the company to “provide some details on when you plan to fix it, and if there is any recognition or payment of the bug’s grace.” He also warned the company he planned to publish in 90 days. Rauch said Apple’s response was “basically, we’d appreciate it if you didn’t blow it out.”
We reached out to Apple for comment.
This story originally appeared Ars Technica.
More WIRED Stories