AirTag vulnerability turns tracker into Trojan horse, fix incoming

Posted:
in General Discussion edited September 28
A recently discovered AirTag weakness allows would-be attackers to redirect users to a malicious webpage when the device is scanned in Lost Mode, effectively turning the tracker into a Trojan horse.

AirTag


Lost Mode is a tentpole AirTag capability that, when activated, allows anyone with an NFC-capable device to scan the tracker and read a programmed discovery message that can include an owner's phone number. The feature assists in the return of lost items like car keys if the Find My network fails to locate a lost AirTag.

Researcher Bobby Rauch has uncovered a vulnerability that turns Lost Mode into a potential attack vector.

As outlined by Krebs on Security, Lost Mode generates a unique URL at https://found.apple.com, where owners can enter a personal message and phone number should the device be found. Rauch discovered that Apple's systems do not prevent injection of arbitrary code into the phone number field, meaning unsuspecting good Samaritans who scan the device can be sent to a malicious website.

"I can't remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized," Rauch said.

In a Medium post published today, Rauch explains that a Stored XSS exploit can be carried out to inject a malicious payload that redirects to a phishing site that gleans sensitive credentials using a keylogger. Other XSS exploits like session token hijacking and clickjacking can also be deployed, Rauch says.

The researcher informed Apple about the vulnerability on June 20 and said he planned to make the information public in 90 days, as per typical disclosure protocols. He received little information since then beyond statements saying that the company is still investigating the flaw. Apple failed to answer questions about progress on a solution and did not say whether Rauch would be credited in a future security advisory, the report said. The company also did not comment on whether the flaw was eligible for a payout through Apple's Bug Bounty Program.

Last Thursday, five days after the 90-day disclosure protection window expired, Apple contacted Rauch to say that the weakness will be addressed in an upcoming update and asked that he not talk about the bug publicly.

"I told them, I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said. "Their response was basically, We'd appreciate it if you didn't leak this.'"

Rauch went public to protest Apple's lack of communication, the report said.

A number of other researchers have aired frustrations about Apple's bug reporting program, including security researcher Denis Tokarev. Last week, Tokarev detailed his experience with the Bug Bounty Program, saying he identified and reported four flaws to Apple, but only one has been patched. Apple later apologized for the delay and said it is still investigating the issues.

AirTag has been an area of interest for the security research community since its launch in April. Shortly after the device debuted, researchers found a method by which AirTag can be leveraged to send short messages through the Find My network.

Read on AppleInsider

Comments

  • Reply 1 of 12
    What a wonderful species we are part of! No sooner does something come along to make life better, one of us figures out a way to turn it into more misery. 
    dewmewatto_cobrajony0
  • Reply 2 of 12
    This type of bug is common enough that Apple should have been more careful. 
    Rauch discovered that Apple's systems do not prevent injection of arbitrary code into the phone number field, meaning unsuspecting good Samaritans who scan the device can be sent to a malicious website.

    Fidonet127jony0
  • Reply 3 of 12
    ...is any centralized data at scale by design a Trojan Horse of sorts, or perhaps (if guile unintended) more correctly simply a potentially fallible, vulnerable and compelling target...? I still keep hoping (naively) Apple might revive macOS server as an owncloud-like distributed option more in line with the general zeitgeist of the original internet, if that is even possible...

    edited September 28
  • Reply 4 of 12
    chadbagchadbag Posts: 1,501member
    The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 
    williamlondonwatto_cobra
  • Reply 5 of 12
    dewmedewme Posts: 3,889member
    Sigh. So much for having all new products undergo a design for security (DFS) review. This class of vulnerability should not be making it into a release product, especially for one with such a narrow attack surface. If it was 1995 maybe this would be a forgivable “oops” but in the year 2021, it’s simply embarrassing.
    chadbagPetrolDavewilliamlondonFileMakerFellerjony0
  • Reply 6 of 12
    chadbagchadbag Posts: 1,501member
    dewme said:
    Sigh. So much for having all new products undergo a design for security (DFS) review. This class of vulnerability should not be making it into a release product, especially for one with such a narrow attack surface. If it was 1995 maybe this would be a forgivable “oops” but in the year 2021, it’s simply embarrassing.
    Recently, with all the "oops" we've seen it looks like Apple engineering is run by amateurs.   I know it is not but with this, the file:// thing, and other just stupid engineering issues...
    williamlondon
  • Reply 7 of 12
    chadbag said:
    The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 
    You saw the part where Apple responded five days after the 90 days had expired, did you not?

    You saw the part where he asked Apple for a few reasonable details and they told him to sod off, did you not?
    muthuk_vanalingamgatorguyMplsPStrangeDayswilliamlondonFileMakerFellerjony0
  • Reply 8 of 12
    chadbagchadbag Posts: 1,501member
    chadbag said:
    The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 
    You saw the part where Apple responded five days after the 90 days had expired, did you not?

    You saw the part where he asked Apple for a few reasonable details and they told him to sod off, did you not?
    Interesting way to interpret what happened.   I  think it was a d*ck move and he definitely put a mark on his forehead as someone not to work with.  

    If I want to participate in a bug  bounty program I work with the company and within the boundaries of the program.  I don't go making unilateral demands and expect them to kowtow to them.   If Apple had totally ignored him it would have been different.  Big companies have institutional inertia and don't always or are not able to always respond at the time we want.  But  they did respond.   I only have what was reported here to go on and the "researcher" should have held back to see what apples next move was.  Not  petulantly just release everything to show Apple who the boss is. 
    williamlondon
  • Reply 9 of 12
    crowleycrowley Posts: 8,888member
    chadbag said:
    chadbag said:
    The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 
    You saw the part where Apple responded five days after the 90 days had expired, did you not?

    You saw the part where he asked Apple for a few reasonable details and they told him to sod off, did you not?
    Interesting way to interpret what happened.   I  think it was a d*ck move and he definitely put a mark on his forehead as someone not to work with.  

    If I want to participate in a bug  bounty program I work with the company and within the boundaries of the program.  I don't go making unilateral demands and expect them to kowtow to them.   If Apple had totally ignored him it would have been different.  Big companies have institutional inertia and don't always or are not able to always respond at the time we want.  But  they did respond.   I only have what was reported here to go on and the "researcher" should have held back to see what apples next move was.  Not  petulantly just release everything to show Apple who the boss is. 
    Apple need to understand that the world doesn't tick on their clock, they need to give as well as take.  They've been getting ever worse at relations with technical communities, and actions like this are inevitable as people get pissed off.  Sort it out Apple.  "But we're a big company and have institutional inertia" is not an excuse.
    hammeroftruthFileMakerFellermuthuk_vanalingamjony0
  • Reply 10 of 12
    crowley said:
    chadbag said:
    chadbag said:
    The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 
    You saw the part where Apple responded five days after the 90 days had expired, did you not?

    You saw the part where he asked Apple for a few reasonable details and they told him to sod off, did you not?
    Interesting way to interpret what happened.   I  think it was a d*ck move and he definitely put a mark on his forehead as someone not to work with.  

    If I want to participate in a bug  bounty program I work with the company and within the boundaries of the program.  I don't go making unilateral demands and expect them to kowtow to them.   If Apple had totally ignored him it would have been different.  Big companies have institutional inertia and don't always or are not able to always respond at the time we want.  But  they did respond.   I only have what was reported here to go on and the "researcher" should have held back to see what apples next move was.  Not  petulantly just release everything to show Apple who the boss is. 
    Apple need to understand that the world doesn't tick on their clock, they need to give as well as take.  They've been getting ever worse at relations with technical communities, and actions like this are inevitable as people get pissed off.  Sort it out Apple.  "But we're a big company and have institutional inertia" is not an excuse.
    I agree. Apple always trips over it’s arrogance. 
    williamlondonmuthuk_vanalingamjony0
  • Reply 11 of 12
    chadbag said:
    chadbag said:
    The fact that Apple got back to him and asked for more time and he basically gave them the finger puts this guy in the d*ck category.  If Apple was totally ignoring him then maybe his protest disclosure would make sense.  But he just put a mark on his forehead that he is a d*ck and not to be worked with. 
    You saw the part where Apple responded five days after the 90 days had expired, did you not?

    You saw the part where he asked Apple for a few reasonable details and they told him to sod off, did you not?
    Interesting way to interpret what happened.   I  think it was a d*ck move and he definitely put a mark on his forehead as someone not to work with.  

    If I want to participate in a bug  bounty program I work with the company and within the boundaries of the program.  I don't go making unilateral demands and expect them to kowtow to them.   If Apple had totally ignored him it would have been different.  Big companies have institutional inertia and don't always or are not able to always respond at the time we want.  But  they did respond.   I only have what was reported here to go on and the "researcher" should have held back to see what apples next move was.  Not  petulantly just release everything to show Apple who the boss is. 
    90 days is industry standard time for security researchers to wait until disclosure. Apple knows this, Microsoft knows this, Google knows this, ... everyone in the software industry knows this. You have a responsibility to patch bugs, especially when millions of people are affected and even more so when you tout your company's commitment to privacy and security. Scrambling to respond AFTER this period has expired, and offering only a poor "we're looking into it" message is NOT professional - and professional courtesy is one of the things that security researchers deserve. Apple clearly does not have a proper set of procedures for responding to security notifications as and when they come in, and the only way those of us outside the company can influence that is to make all failures as damaging as possible to the reputation of the company.

    Once again, Apple has shipped software that doesn't sanitise the inputs. This is yet another sign of institutional dysfunction, and increasing the profile of its mistakes is absolutely warranted so that this process can be improved.

    Please consider that if someone owed you money, promised when they borrowed it to get it back to you in 90 days and then contacted you in 95 days to explain that they might need more time and did not mention that payment might not happen, your response might be similar to that of this security researcher.
    muthuk_vanalingamwilliamlondonbeowulfschmidtjony0
  • Reply 12 of 12
    chadbag said:
    Interesting way to interpret what happened.   I  think it was a d*ck move and he definitely put a mark on his forehead as someone not to work with.  

    If I want to participate in a bug  bounty program I work with the company and within the boundaries of the program.  I don't go making unilateral demands and expect them to kowtow to them.   If Apple had totally ignored him it would have been different.  Big companies have institutional inertia and don't always or are not able to always respond at the time we want.  But  they did respond.   I only have what was reported here to go on and the "researcher" should have held back to see what apples next move was.  Not  petulantly just release everything to show Apple who the boss is. 
    90 days is industry standard time for security researchers to wait until disclosure. Apple knows this, Microsoft knows this, Google knows this, ... everyone in the software industry knows this. 
    Exactly this.  
    jony0
Sign In or Register to comment.