• Admin

Unpatched Apple AirTag Flaw Creates User Vulnerabilities

Published: November 13, 2021 on our newsletter Security Fraud News & Alerts Newsletter.



Earlier this year, Apple released their new AirTag device to help users find lost items. They’re customizable Bluetooth-enabled small round discs you can toss into a bag or backpack or attach to your keys and other items via a key chain option. The company promotes this newest product, saying “…AirTag taps into the vast, global Find My network and can help locate a lost item, all while keeping location data private and anonymous with end-to-end encryption.” That’s nice to hear, but despite Apple’s security measures, all is not well with AirTag security.


A security researcher has since discovered and exposed an AirTag flaw that can redirect users to an iCloud phishing web page and install malware on a device. With Apple aware of the flaw just four weeks after launching AirTag and still not acting to patch it, this security bug is a risk that current and potential AirTag users may not be willing to take.



According to the security researcher who went public after much frustration with Apple’s lack of acknowledgement of his findings, found the AirTag flaw allows a stored (persistent) XSS, also called cross-site scripting vulnerability, to exist. For AirTag users, after enabling the “lost mode” to find the item and inserting their phone number in the provided space, the bad actor can inject a malicious payload into the phone number field.


Malicious payloads are infamous for installing all types of malware, including those redirecting users to malicious website pages, tricking a user into divulging their password and other sensitive information, data theft, file encryption for ransomware attacks, and much more. Different attack vectors like email and other types of phishing are also common carriers of a variety of malware.


Anti-Phishing Tips


We know AirTag’s XSS flaw starts with an iCloud phishing web page as the beginning of an attack, and tips to avoid web page and other types of phishing are always good to review.

  • Don’t click on links or open attachments from unexpected or suspicious emails and texts as they can lead to compromised web pages and malware installation.

  • Directly type a URL into a browser to avoid using embedded links or third-party sources.

  • Make sure a website is safe and secure. Though not a 100% guarantee, secure website domains always start with “https” and have a closed lock symbol to the left of the domain.

  • Use anti-virus software and keep all software updated, including apps, and always apply security patches as soon as they are available.

  • Keep aware of the latest scams and social engineering methods to avoid potential attacks and the malware they install.


Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com


4 views0 comments