PSA: Warning: Apple AirTags are currently vulnerable to XSS attacks. Easily redirecting the site is among the various violations of XSS. If you find an AirTag and are asked to sign in to iCloud to see who owns it, you've found an "Armed" tag. Do not enter your documents! You do not need to be logged in to log into AirTag.
A security researcher has discovered that Apple AirTags are vulnerable to XSS code injection attacks. The attacker simply has to enter the malicious code into the missing part of the phone number before placing the fob, then drop it somewhere to find a suspicious victim.
When a good Samaritan finds an AirTag and scans it to report if it is found, the code can direct the victim to a cloned iCloud login page that records user information using the keylogger. He can then return to the actual Apple Found website, which does not require logging in, and the reporting process can continue as normal. Boston-based security consultant Bobby Rush reported the lack of vulnerabilities in June, and notified Apple of the vulnerability 90 days before it was released. While waiting, Apple never contacted him about whether a solution was on the way or whether he would be awarded a bug award. It was working on the issue, however, there was no timer available for when to debug. In addition to directing victims to a phishing website, Ratch said other types of injections are possible, including session token theft, clickthrough, and more. and more.
"An attacker can create and disarm armed weapons and sacrifice innocent people helping someone find their lost airbag."
An example of how a redirect attack works can be seen in the video above. A smart user might notice a domain change from "found.apple.com" to "10.0.1.137", but the average person might not even notice suspicious items. An attacker could also use a domain name that is easily overlooked.
The most powerful reduction in this abuse is knowledge. Users should know that you do not need to be logged in to find the existing AirTag report. However, this does not eliminate the risk of sacrificing other types of injections.
Apple AirTags are vulnerable to stored XSS injection attacks