Security News > 2021 > September > Unpatched flaw 'weaponises' Apple AirTags to turn them into the phisherman's friend

Apple has been accused of ignoring a vulnerability in the Lost Mode functionality of its AirTags location-tracking accessories which would allow an attacker to seed "Weaponised AirTags" for harvesting the iCloud credentials of anyone who find them.

Apple chief compliance officer Kyle Andeer was very clear that AirTags are in no way a copy of Tile's popular compact battery-powered devices you stick to your belongings in order to locate them when misplaced.

"Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponised AirTags and leave them around, victimising innocent people who are simply trying to help a person find their lost AirTag."

Speaking to Brian Krebs, Rauch claimed that Apple sat on the flaw for three months - and that while it confirmed it planned to resolve the vulnerability in a future update, the company has not yet done so.

Apple also refused to confirm whether Rauch's discovery would qualify for its bug bounty programme and a potential cash payout - a final insult which led to his public release of the flaw.

A fourth flaw had been fixed in an earlier iOS release, the researcher noted, "But Apple decided to cover it up and not list it on the security content page."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/29/weaponised_apple_airtags/