When Apple launched the AirTag, support for the Find My network was also added, which means that users can use the network to find items that they have attached the AirTag to. Unfortunately there seems to be a bug / vulnerability in the system that could lead to a “Good Samaritan” attack.
This comes from a report by KrebsOnSecurity that found that when the AirTag was in Lost Mode, Apple did not verify that the computer code was entered in the phone number field. This means that if someone finds a malicious AirTag and scans it with their phone, a popup can be created which will then redirect users to a fake iCloud login page.
Users who think they are doing a good deed can then enter their Apple ID credentials to help, but their credentials could be stolen instead. Speaking to KrebsOnSecurity, Bobby Rauch, who discovered the vulnerability, said that he had informed Apple about it.
While Apple confirmed the issue and stated it would be fixed in an upcoming update, Apple didn’t respond when asked about a schedule for the fix, whether it would be credited or whether his discovery would qualify him for Apple’s bug bounty program would. This apparent lack of communication is one that other developers and researchers have become frustrated with.
Most recently, a researcher was forced to publicize his results after submitting them to Apple, but received no response from them. After receiving the unwanted attention, Apple later admitted this and said they are still investigating.
Filed in. Read more about airtags, hack and security. Source: krebsonsecurity