https://safirsoft.com Apple AirTags are vulnerable to stored XSS injection attacks

PSA: Warning: Apple AirTags are currently vulnerable to XSS attacks. Easily redirecting the site is among the various violations of XSS. If you find an AirTag and are asked to sign in to iCloud to see who owns it, you've found an "Armed" tag. Do not enter your documents! You do not need to be logged in to log into AirTag.

A security researcher has discovered that Apple AirTags are vulnerable to XSS code injection attacks. The attacker simply has to enter the malicious code into the missing part of the phone number before placing the fob, then drop it somewhere to find a suspicious victim.

When a good Samaritan finds an AirTag and scans it to report if it is found, the code can direct the victim to a cloned iCloud login page that records user information using the keylogger. He can then return to the actual Apple Found website, which does not require logging in, and the reporting process can continue as normal. Boston-based security consultant Bobby Rush reported the lack of vulnerabilities in June, and notified Apple of the vulnerability 90 days before it was released. While waiting, Apple never contacted him about whether a solution was on the way or whether he would be awarded a bug award. It was working on the issue, however, there was no timer available for when to debug. In addition to directing victims to a phishing website, Ratch said other types of injections are possible, including session token theft, clickthrough, and more. and more.

"An attacker can create and disarm armed weapons and sacrifice innocent people helping someone find their lost airbag."

An example of how a redirect attack works can be seen in the video above. A smart user might notice a domain change from "found.apple.com" to "10.0.1.137", but the average person might not even notice suspicious items. An attacker could also use a domain name that is easily overlooked.

The most powerful reduction in this abuse is knowledge. Users should know that you do not need to be logged in to find the existing AirTag report. However, this does not eliminate the risk of sacrificing other types of injections.

Apple AirTags are vulnerable to stored XSS injection attacks
apple-airtags-are-vulnerable-to-stored-xss-injection.html

https://safirsoft.com 16-inch MacBook Pro with M1 Max chip will have High Power Mode

16-inch MacBook Pro with M1 Max chip will have High Power Mode

At the recent Unleashed event, Apple spent a lot of time talking about the amazing power of the latest MacBook Pro M1 Max. The company has now confirm...
https://safirsoft.com Parts shortage finally reached Apple with increased delivery time

Parts shortage finally reached Apple with increased delivery time

So far, Apple has been largely immune to the global shortages of chips and components that have plagued other device makers, but the company seems to ...
https://safirsoft.com The new top-spec MacBook Pro costs more than $6000

The new top-spec MacBook Pro costs more than $6000

Apple unlocked the rumored MacBook Pro on Monday, confirming the presence of the M1 Pro and M1 Max SoCs. What we have seen so far seems very deceptive...
https://safirsoft.com Apple's advertising growth appears to have tripled since the app's transparency rules were enacted

Apple's advertising growth appears to have tripled since the app's transparency rules were enacted

After Apple began implementing app tracking transparency earlier this year, Facebook predicted an "end of the world." I don't know if this is really t...
https://safirsoft.com Apple offers cheaper Apple Music app for just $5 per month

Apple offers cheaper Apple Music app for just $5 per month

On Monday, Apple introduced the new soundtrack for Apple Music. The design is based on and commercialized further integration of the music streaming s...
https://safirsoft.com Apple's new M1 Pro and M1 Max are its most powerful chips yet

Apple's new M1 Pro and M1 Max are its most powerful chips yet

The new MacBook Pro was Apple's most exciting fall event. At the heart of the new line of M1 Pro and M1 Max are the most powerful chipsets Apple has e...