Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Can Exploit Apple AirTag Vulnerability to Lure Users to Malicious Sites

Apple’s AirTag product is affected by a vulnerability that could be exploited by hackers to lure unsuspecting users to phishing or other types of malicious websites.

Apple’s AirTag product is affected by a vulnerability that could be exploited by hackers to lure unsuspecting users to phishing or other types of malicious websites.

Security consultant Bobby Rauch discovered that AirTags, which Apple sells for $30 and advertises as a “supereasy way to keep track of your stuff,” are affected by a stored cross-site scripting (XSS) vulnerability.

While the issue has not been patched by Apple, Rauch disclosed its details this week after becoming frustrated with the tech giant’s vulnerability reporting process.

Apple AirTag vulnerabilityWhen AirTag users enable “lost mode” to indicate that they cannot locate the device, they can add their phone number and a custom message that will be displayed to anyone who finds and scans the AirTag with an NFC phone — this includes Android phones.

Rauch noticed that the unique page generated on the domain for each AirTag is affected by a stored XSS vulnerability. More precisely, the XSS flaw can be exploited by inserting a malicious payload into the phone number field on the page.

In a theoretical attack scenario described by the researcher, the attacker enables “lost mode” for their own AirTag and intercepts the request associated with this action. They then inject the malicious payload into the phone number field. The attacker then needs to drop the AirTag device in a location where the targeted user — or anyone, if the attack is opportunistic — picks it up and scans it. Once the AirTag is scanned, the malicious payload is triggered immediately.

Rauch demonstrated the attack by injecting a payload that redirects the victim to an iCloud phishing page. Since it’s an Apple product, the victim might not find an iCloud login page to be suspicious — in reality, users who find and scan an AirTag don’t need to provide any credentials.

In addition to directing users to phishing pages, an attacker could lure users to malware distribution websites, or they could inject a payload for session token hijacking or clickjacking. The researcher also noted that the attacker could leverage the malicious link by sending it directly to the targeted user on a desktop or laptop device — in this case the payload is triggered when the link is accessed and there is no need to scan the AirTag.

Rauch told cybersecurity blogger Brian Krebs that he reported his findings to Apple on June 20, and decided to publicly disclose the vulnerability after becoming frustrated with Apple’s slow progress and refusal to answer his questions about giving him credit for the vulnerability and a possible bug bounty.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

This is the second time in recent days that a researcher has disclosed the details of a vulnerability before Apple could release a patch. Researcher Denis Tokarev (aka illusionofchaos) has made public the details of three iOS vulnerabilities that were reported to Apple months ago, but which the tech giant failed to address.

Many cybersecurity experts have complained over the past years about Apple’s bug bounty program, including due to delayed responses and rewards they considered too small. The company said it awarded a total of $3.7 million to the researchers who responsibly disclosed security flaws last year.

Related: Researchers Earn $50,000 for Hacking Apple Servers

Related: Apple Awards Researcher $75,000 for Camera Hacking Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet