airtag: Why you may not want to be a ‘good person’ and return someone’s lost Apple AirTag

Apple AirTag is a small GPS tracker-like device that helps in finding items that are attached to it. Even if you don’t use an iPhone, you can scan a lost AirTag with your Android phone via NFC and return it to its rightful owner. But before you think of being a good samaritan, note that a new security flaw has been discovered that can effectively turn the Apple AirTag into a “Trojan”, as per a report by KrebsonSecurity. This means if you scan an unknown Apple AirTag that is put on ‘Lost Mode’ there’s a risk of your phone getting infected
Apple AirTags were launched just a few months back and it is already being weaponised. In fact, the AirTags could be a cheap and easy way to attack a smartphone of some innocent passerby who is just trying to help someone in finding a lost belonging.
Security researcher Bobby Rauch in a post on Medium explained that iCloud credentials may be hijacked if you happen to scan a lost AirTag that has been programmed.
When you scan a lost AirTag via NFC on your phone, you are directed to a unique “https://found.apple.com” page. This page provides information like serial number along with the owner’s phone number and a personal message.
Rauch explained that “an attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field.”
He further added, “A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page. Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.”
What’s worrying is that, he claimed that “there are countless ways an attacker could victimize an end user who discovers a lost Airtag.”
For those unaware, you need to have an iPhone to use the AirTag. This tracker doesn’t work with Android phones. Having said that, you can use an Android phone with NFC to alert the owner of the AirTag if you happen to find a lost AirTag.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.