Recently, Apple came to our agenda due to a security vulnerability on iCloud Private Relay. Due to the said vulnerability, users’ IP addresses could be learned after a few simple operations. It was reported that the problem in question, which was fixed on macOS, still persists on iOS 15 devices.
Not long after that, Apple is here again with a different deficit. This time, we can say that the company, which is on our agenda with its AirTag product, which allows finding lost items, does not seem to be very willing on this issue, although the solution is simple for itself.
Hackers can use AirTags for malicious purposes (Simply)
- AirTag getting lost mode
Even though AirTags were created to find lost items, they often get lost as well. For this reason, they have a ‘lost mode’ in them. Thanks to this mode, people who find the lost AirTag can scan these devices on their phones and see the phone number of their owners and inform themselves.
When the device is scanned into the phone, the owner’s phone number appears on the iPhone of the person who found the AirTag. The iPhone then embeds this number on Apple’s site. The problem lies exactly in the phone number part. Since there is not much focus on security here, you can enter ‘anything’ where you need to enter your phone number. This includes malicious code.
- Scanning a found AirTag and prompting to enter personal information on a fake site
So if we think that a harmful XSS code has been entered, Apple embeds it directly on the site. This, in turn, greatly facilitates the attacks made by the phishing method. An example of this would be a fake iCloud login screen when a lost AirTag is scanned. In this way, people transfer their login information to the other party without realizing it.
Waited for months:
Bobby Rauch, who revealed the vulnerability, reported this vulnerability to Apple on June 20. After that, Rauch, who was kept on hold by saying that the problem was being worked on, said that he would openly share the problem after 90 days. When the problem was still not resolved, he shared his article.
When AirTags are scanned, they do not ask you to log in to any site. For this reason, if this news discouraged you when you were going to buy an AirTag, let us state that there is no problem in using it, it is just good to be cautious.
35267
