Ever since Apple launched AirTag, it has been on the radar of privacy advocates. Previously some groups expressed concerns on how AirTag can be used to track down domestic abuse victims. A security researcher has demonstrated how AirTag can be converted into a surveillance weapon by injecting malicious code. The attacker can add malicious code in the phone number field. Once done, they will place it in Lost Mode and drop-in location.
For the maximum impact, the AirTag is placed in a crowded place. Whenever someone finds the AirTag and scans it, they will be redirected to a website. The website features a fake iCloud login claiming to help the person report the lost AirTag. Apple has confirmed the vulnerability and is working on a fix.
It is common for bug bounty hunters and security researchers to disclose vulnerabilities 90 days after reporting. Bobby Raunch, a Boston-Based security consultant, unearthed the vulnerability in June this year. Soon enough, he reported the vulnerability to Apple. The security researcher has published the vulnerability as 90 days have elapsed since reporting it to Apple.
Raunch discovered that one could inject XSS code into the phone number field. Typically, when someone finds an AirTag attached to an item, they scan it with their phone. Once scanned, the person should see the contact details of the AirTag owner. However, in this case, they will be redirected to a malicious website. There is a good chance that finders will not think twice before entering their iCloud credentials on the fake website.
Many security researchers have already criticized Apple for the way it handles the Bug Security program. In some cases, the company has ignored critical vulnerabilities for as long as six months. A security researcher has blamed Apple for denying incentive after reporting a valid vulnerability. We hope Apple starts fixing vulnerabilities on priority and improve the bug bounty program.[via Raunch]