Apple’s personal item-tracker devices, known as AirTag, can be exploited to deliver malware, cause clickjacking, steal user credentials and tokens, due to a zero-day XSS vulnerability.
AirTag is an iPhone accessory that provides a private and secure way to easily locate the items, according to Apple.
Zero-Day Stored XSS IN Apple’s AirTag
The exlpoit is possible due to an unpatched stored cross-site-scripting issue in AirTag’s Lost Mode feature, which could cause various attacks against users. This type of attack, also known as persistent XSS, takes place when a malicious script is injected into an exposed web application.
The only condition needed to exploit the flaw is the user visiting a specially crafted web page.
“Apple’s “Lost Mode” allows a user to mark their Airtag as missing if they have misplaced it.
“This generates a unique https://found.apple.com page, which contains the Airtag’s serial number, and the phone number and personal message of the Airtag owner. If any iPhone or Android user happens to discover a missing Airtag, they can scan it (through NFC) with their device, which will open up the Airtag’s unique https://found.apple.com page on their device,” said Bobby Rauch, an independent security researcher, in a Medium post.
The core of the problem is that these pages don’t have protection for stored XSS, allowing an attacker to inject malicious code into AirTag via the Lost Mode phone number field.
For example, the attacker can deploy the XSS code to redirect the user to his fake iCloud page, loaded with a keylogger to capture the user’s credentials.
“A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the AirTag, when in fact, the attacker has redirected them to a credential-hijacking page. Since AirTags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all,” Rauch added.
More details about the possible AirTag attacks are available in the researcher’s post.
Earlier this month, Apple fixed three zero-day flaws exploited in the wild: CVE-2021-30869, CVE-2021-30860, CVE-2021-30858