An unpatched stored cross-site scripting (XSS) bug in Apple’s AirTag “Lost Mode” could expose users to several different web-based attacks such as credential harvesting, malware delivery, token theft, and click-jacking. The personal tracker devices are suffering from a zero-day that could allow attackers to fully weaponize the device, according to security researchers. Stored XSS occurs when a malicious script is injected directly into a vulnerable web application.
Apple’s AirTags are personal tracking devices that can be attached to a multitude of things, such as AirPods, keys, backpacks, and more. If an AirTagged item has been lost, users are able to ping the AirTag, which will emit a sound and allow it to be tracked down similar to how the same operation works for Apple’s iPhones. The user can also use the Find My app to see the lost item’s location. however, the pages don’t have protection for stored XSS, meaning that an attacker could inject a malicious payload into the AirTag by leveraging the Lost Mode phone number field. In one scenario, an attacker could use XSS code to redirect victims to a fake iCloud page equipped with a keylogger that captures credentials.
Read More: Apple AirTag Zero-Day Weaponizes Trackers