Security News > 2021 > September > Apple AirTag Zero-Day Weaponizes Trackers
An unpatched stored cross-site scripting bug in Apple's AirTag "Lost Mode" could open up users to a cornucopia of web-based attacks, including credential-harvesting, click-jacking, malware delivery, token theft and more.
If it's further afield, the AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in Apple's Find My network.
These devices send the location of the AirTag to iCloud - and the user can open the Find My app and see the lost item on a map.
If an AirTag doesn't show up in the Find My app, a user can mark the AirTag as missing, and will get an alert if it's later picked up by the Find My network.
The problematic part of Lost Mode has to do with a different perk: If a stranger finds an AirTag in Lost Mode and scans it via near-field communication, it generates a unique https://found.
The issue, according to Rauch, is that these pages don't have protection for stored XSS - so, an attacker can inject a malicious payload into the AirTag using the Lost Mode phone number field.
News URL
https://threatpost.com/apple-airtag-zero-day-trackers/175143/
Related news
- Apple backports iOS zero-day patch, adds Bluetooth tracker alert (source)
- Apple backports fix for RTKit iOS zero-day to older iPhones (source)
- Apple backports fix for zero-day exploited in attacks to older iPhones (source)
- Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android (source)
- Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own (source)