It’s been found that Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens and more thanks to a cross-site scripting (XSS) bug.
Independent security researcher Bobby Rauch noted that attackers could leverage the XSS code bug to redirect victims to a spoofed iCloud page. From the spoofed page, their credentials could be exfiltrated by an installed keylogger. When the zero-day cross-site scripting vulnerability is in its “Lost Mode,” threat actors could exploit it to launch various web-based attacks.
“A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the AirTag, when in fact, the attacker has redirected them to a credential-hijacking page,” Rauch stated, “and since AirTags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all.”
The Lost Mode function goes hand in hand with the further-afield function. If an AirTag does not show up in the Find My app, a user can mark the AirTag as missing, and will get an alert if it’s later picked up by the Find My network. Rauch added that further injection attacks could occur through the Find My App, which is used to scan third-party devices that support Lost Mode.