Independent security researcher Bobby Rauch warned that Apple's AirTag personal tracking devices contain a yet to be addressed zero-day cross-site scripting vulnerability in its "Lost Mode," which threat actors could exploit to launch various web-based attacks, according to Threatpost.
Rauch noted that attackers could leverage the XSS code to redirect victims to a spoofed iCloud page, where their credentials could be exfiltrated by an installed keylogger.
"A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the AirTag, when in fact, the attacker has redirected them to a credential-hijacking page. Since AirTags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn't require authentication at all," said Rauch.
Rauch added that threat actors could leverage the vulnerability in various attacks. "The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the AirTag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support 'Lost Mode' as part of Apple's Find My network," he said.