"A Simple Bug Is Leaving AirTag Users Vulnerable to an Attack"

Bobby Rauch, a security consultant and penetration tester, has discovered that Apple's AirTags do not sanitize user input. These AirTags are attached to laptops, phones, and other frequently lost items. The lack of user input sanitization leaves AirTags susceptible to being used in attacks in which a malicious actor drops a maliciously prepared AirTag. This would be an alternative to dropping USB drives infected with malware in a target's parking lot. A drop attack using AirTags only requires the threat actor to type valid XSS into the AirTag's phone number field, put the AirTag in Lost Mode, and drop it where the potential victim is likely to find it. Theoretically, scanning a lost AirTag is a safe activity as it is only supposed to bring up found.apple.com, but the problem is that the webpage embeds the contents of the phone number field as shown on the victim's browser, unsanitized. According to Rauch, the vulnerability is exploited by using simple XSS to pop up a fake iCloud login dialog on the victim's phone. This article continues to discuss the AirTag vulnerability that could be exploited by attackers to redirect users to malicious websites. 

Wired reports "A Simple Bug Is Leaving AirTag Users Vulnerable to an Attack"