A security flaw has been discovered in Apple AirTags. This would allow modifying the web address to which they redirect after activating the lost mode to be used as a tool to launch Phishing attacks. So, even being something that could affect few users, it is important that you know it to avoid any possible unpleasant situation. So that doing the good deed of trying to return it to its owner does not become a nightmare.
Be careful with the AirTag you find
The usefulness of Apple’s AirTags or their alternatives for locating lost objects is something that practically no one doubts at this point in the film. There are already many examples that we have seen and have shown with different experiences how practical this type of location beacons can become.
In the case of AirTags, there are already those who have managed to recover a multitude of their lost personal items or who did not know where they had left them for the last time. Also those who have managed to find them after being stolen by lovers of others and even those who have carried out such curious experiments as seeing the route of a package to which an AirTag was put.
However, when a product of this type offers so much power and becomes something with great importance among a good number of users, it is logical that it should be misused. One of them, in addition, can be carried out due to a security problem that could put any user at risk who reads the information they offer when the lost mode is activated.
According to security expert Bobby Rauch, the phone field can be modified and a web address can be entered with which to execute a phishing attempt .
And it is that, when reading the AirTag with a mobile with NFC, it would be sent to a website to log in to iCloud and thus steal the account.
How AirTag Lost Mode Works
To avoid phishing attacks through the use of AirTags it is important to know how they work, especially when it comes to reading them with your iOS or Android mobile to return it to its owner. Because it would not be fair to lose your account and all that it implies to try to carry out a good deed.
The lost mode is something that the user configures in the event that he loses the AirTag and with it personal object to which he sticks it. When you get lost, you can go to the Find My website and activate this mode to make a sound and, in the worst case, show a message to whoever reads the information using your phone with NFC technology.
That message that can be customized would show the phone number or even a website to connect with the owner to return the object. Well, according to Apple’s documentation, that information should be the phone number and some comments with directions, but never a website, much less one that asks for the iCloud login.
Apple never asks for iCloud sign-in to contact the owner of an AirTag. So this security flaw and risk that it implies is solved, for now, knowing that you do not have to provide an iCloud user name or password.
Apple is already working on the solution
Apple seems to be working on a solution to avoid these types of problems. Obviously others may appear, but for now it is important to know those that already exist. Especially if you are AirTag users and you want to help someone who may lose a personal object who uses it and has it when they find it.