Security News > 2021 > September > Apple AirTag Zero-Day Weaponizes Trackers
An unpatched stored cross-site scripting bug in Apple's AirTag "Lost Mode" could open up users to a cornucopia of web-based attacks, including credential-harvesting, click-jacking, malware delivery, token theft and more.
If it's further afield, the AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in Apple's Find My network.
These devices send the location of the AirTag to iCloud - and the user can open the Find My app and see the lost item on a map.
If an AirTag doesn't show up in the Find My app, a user can mark the AirTag as missing, and will get an alert if it's later picked up by the Find My network.
The problematic part of Lost Mode has to do with a different perk: If a stranger finds an AirTag in Lost Mode and scans it via near-field communication, it generates a unique https://found.
The issue, according to Rauch, is that these pages don't have protection for stored XSS - so, an attacker can inject a malicious payload into the AirTag using the Lost Mode phone number field.
News URL
https://threatpost.com/apple-airtag-zero-day-trackers/175143/