The AirTag trackers have been one of Apple’s long-rumored products that ended up garnering a bit of controversy on launch. Easy to use and almost too easy to lose, Apple’s new Find My network was also criticized for being a privacy disaster waiting to happen. Apple has worked to address some of those over the course of a few months since the AirTags launched, but a newly reported vulnerability now threatens to harm kindhearted iPhone users that take their time to help trace the owner of a lost tracker.
Apple adjusted its Find My system to accommodate the new AirTag trackers and their ease of use. This convenience, however, raised privacy concerns, like how the trackers could be used to stalk people. There was even one vulnerability that allowed an AirTag to be hacked and modified to do more than just broadcasting its location.
To its credit, Apple has been fixing these issues as they come, but there doesn’t seem to be an end yet in sight to potential exploits. The latest that has been reported by Kerbs on Security revolves around the AirTag’s Lost Mode, where it lets owners set a message and contact number to call in case the tracker was found. The problem is that there aren’t any hard security checks on the links that users can tap on.
In one very plausible scenario, a hacker would have injected a URL into the phone number field of the AirTag’s Lost Mode. That link would direct the user to a malicious page masquerading as an iCloud login page. The unwitting person, thinking of doing a good deed, enters his or her credentials on the page, giving hackers some juicy data for further hacking sprees, especially since people tend to reuse passwords across services.
The report also touches on Apple’s own behavior in handling the bug report from security researcher Bobby Rauch. There are debates on responsible disclosure of such vulnerabilities, especially after a company requests silence on the matter. That said, Apple has also long been chided for its less than ideal handling of these reports, which often end up getting publicized even before Apple fixes them.