Ever since Apple launched AirTag, it has been on the radar of privacy advocates. Earlier, some groups expressed concern about how AirTag could be used to track victims of domestic violence. A security researcher has shown how an AirTag can be turned into a surveillance weapon by injecting malicious code. An attacker can add malicious code to a phone number field. Once completed, they will place it in the lost mode and entry location.
For maximum performance, the AirTag is placed in a crowded place. Whenever someone finds an AirTag and scans it, they will be redirected to a website. The website contains a fake login to iCloud that claims to help a person report a lost AirTag. Apple has confirmed the vulnerability and is working on a repair.
It is common for bounty hunters and security researchers to detect vulnerabilities 90 days after reporting. Bobby Raunch, a Boston security consultant, discovered the vulnerability in June this year. Apple soon reported the vulnerability. The security researcher announced the vulnerability after 90 days have passed since the report to Apple.
Raunch found that an XSS code could be entered into the phone number field. Usually, when someone finds an AirTag attached to an item, they scan it with their phone. After the scan, the person should see the contact information of the AirTag owner. However, in this case they will be redirected to a malicious website. There’s a good chance that inventors won’t think twice before entering their iCloud credentials on a fake website.
Many security researchers have already criticized Apple for the way it manages the Bug Security program. In some cases, the company ignores critical vulnerabilities for as long as six months. A security researcher has accused Apple of denying incentives after reporting a valid vulnerability. We hope that Apple will eliminate vulnerabilities and improve the bugging program as a priority.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.