Apple forgot to sanitize the Phone Number field for lost AirTags

A plastic tag hangs from a young person's backpack.

Enlarge / Apple’s AirTags—as seen clipped to a backpack, above—allow users to attempt to find their own device via location rebroadcast from other Apple users. If all else fails, the user can enable a “Lost mode” intended to display their phone number when a finder scans the missing AirTag. (credit: James D. Morgan / Getty Images)

The hits keep coming to Apple’s bug-bounty program, which security researchers say is slow and inconsistent to respond to its vulnerability reports.

This time, the vuln du jour is due to failure to sanitize a user-input field—specifically, the phone number field AirTag owners use to identify their lost devices.

The Good Samaritan attack

Security consultant and penetration tester Bobby Rauch discovered that Apple’s AirTags—tiny devices which can be affixed to frequently lost items like laptops, phones, or car keys—don’t sanitize user input. This oversight opens the door for AirTags to be used in a drop attack. Instead of seeding a target’s parking lot with USB drives loaded with malware, an attacker can drop a maliciously prepared AirTag.

Read 10 remaining paragraphs | Comments