Apple’s AirTag product is affected by a vulnerability that could be exploited by hackers to lure unsuspecting users to phishing or other types of malicious websites.
Security consultant Bobby Rauch discovered that AirTags, which Apple sells for $30 and advertises as a “supereasy way to keep track of your stuff,” are affected by a stored cross-site scripting (XSS) vulnerability.
While the issue has not been patched by Apple, Rauch disclosed its details this week after becoming frustrated with the tech giant’s vulnerability reporting process.
When AirTag users enable “lost mode” to indicate that they cannot locate the device, they can add their phone number and a custom message that will be displayed to anyone who finds and scans the AirTag with an NFC phone — this includes Android phones.
Rauch noticed that the unique page generated on the found.apple.com domain for each AirTag is affected by a stored XSS vulnerability. More precisely, the XSS flaw can be exploited by inserting a malicious payload into the phone number field on the page.
In a theoretical attack scenario described by the researcher, the attacker enables “lost mode” for their own AirTag and intercepts the request associated with this action. They then inject the malicious payload into the phone number field. The attacker then needs to drop the AirTag device in a location where the targeted user — or anyone, if the attack is opportunistic — picks it up and scans it. Once the AirTag is scanned, the malicious payload is triggered immediately.
Rauch demonstrated the attack by injecting a payload that redirects the victim to an iCloud phishing page. Since it’s an Apple product, the victim might not find an iCloud login page to be suspicious — in reality, users who find and scan an AirTag don’t need to provide any credentials.
In addition to directing users to phishing pages, an attacker could lure users to malware distribution websites, or they could inject a payload for session token hijacking or clickjacking. The researcher also noted that the attacker could leverage the malicious found.apple.com link by sending it directly to the targeted user on a desktop or laptop device — in this case the payload is triggered when the link is accessed and there is no need to scan the AirTag.
Rauch told cybersecurity blogger Brian Krebs that he reported his findings to Apple on June 20, and decided to publicly disclose the vulnerability after becoming frustrated with Apple’s slow progress and refusal to answer his questions about giving him credit for the vulnerability and a possible bug bounty.
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
This is the second time in recent days that a researcher has disclosed the details of a vulnerability before Apple could release a patch. Researcher Denis Tokarev (aka illusionofchaos) has made public the details of three iOS vulnerabilities that were reported to Apple months ago, but which the tech giant failed to address.
Many cybersecurity experts have complained over the past years about Apple’s bug bounty program, including due to delayed responses and rewards they considered too small. The company said it awarded a total of $3.7 million to the researchers who responsibly disclosed security flaws last year.
Related: Researchers Earn $50,000 for Hacking Apple Servers
Related: Apple Awards Researcher $75,000 for Camera Hacking Vulnerabilities

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
