Apple, which recently encountered a security problem with a feature that came to iCloud with iOS 15, is now here with AirTag, which allows finding lost items. Devices that can be scanned via iPhones when lost, embed their owner’s phone number on Apple’s site without asking questions. This means that malicious code can be written.
Recently apple, iCloud Private Relay It came to our agenda due to a security vulnerability on it. Due to the said vulnerability, users’ IP addresses could be learned after a few simple operations. It was reported that the problem in question, which was fixed on macOS, still persists on iOS 15 devices.
Not long after that, Apple was again doing something different. explain before us. This time, the one who helped find the lost items. AirTag We can say that the company, which is on our agenda with its product, does not seem to be very keen on this issue, although the solution is simple for itself.
Hackers can use AirTags for malicious purposes (Simply)
- AirTag getting into lost mode
Although AirTags were created to find lost items, they also lost it happens often. For this reason, inloss mode‘ exists. Thanks to this mode, people who find the lost AirTag can scan these devices on their phones and see the phone number of their owners and inform themselves.
When the device is read into the phone owner’s phone numberappears on the iPhone of the person who found the AirTag. The iPhone then embeds this number on Apple’s site. The problem lies exactly in the phone number part. Since there is not much focus on security here, ‘anything‘You can enter. This malicious codes including.
- Scanning a found AirTag and prompting to enter personal information on a fake site
So a harmful XSS code Considering that it is entered, Apple embeds it directly on the site. As a result of this phishing This greatly simplifies the attacks. An example of this would be a fake iCloud login screen when a lost AirTag is scanned. In this way, people can access their login information, unaware transfers it to the other party.
Waited for months:
revealing the deficit Bobby Rauchreported the vulnerability to Apple on June 20. After that, Rauch, who was kept on hold by saying that the problem was being worked on, said that he would openly share the problem after 90 days. When the problem was still not resolved, he shared his article.
RELATED NEWS
Expected iOS 15.0.1 Update from Apple Has Arrived
When AirTags are scanned, they do not ask you to login to any site. For this reason, if this news discouraged you when you were going to buy an AirTag, let us state that there is no problem in using it, it is just good to be cautious.
Source :
https://www.reviewgeek.com/99482/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit/