According to a new report, Apple allows anyone to use a smartphone to scan for lost AirTags to locate the owner’s contact information. This feature may be abused for phishing fraud. Apple AirTag has a feature that when set to Lost Mode, will generate a URL (https://found.apple.com) for it, allowing AirTag owners to enter a contact phone number or email address. The person who scans the AirTag can obtain the information and contact the owner.
According to KrebsOnSecurity, the lost mode can be injected into fields by computer code, and people who scan AirTag can be redirected to fake iCloud login pages or other malicious websites. Security consultant Bobby Raunch discovered the AirTag vulnerability, and he told KrebsOnSecurity that the vulnerability made AirTag dangerous. He said: I have never seen such a simple way to make small consumer-grade tracking devices into malicious tools at low cost.
Raunch contacted Apple on June 20, which spent several months investigating. Apple told Raunch last Thursday that it will fix this issue in an upcoming update and asked him not to talk about it in public.
