blows keep It comes to Apple’s bug-bounty program, which security researchers say is slow and inconsistent in responding to its vulnerability reports.
This time , Follen today This is due to the failure to sanitize the user input field – specifically, the phone number field AirTag owners Used to locate their lost devices.
Security consultant and penetration tester Bobby Rauch discovered that Apple AirTags—Small devices that can be attached to frequently lost items such as laptops, phones, or car keys — do not sanitize user input. This omission opens the door to AirTags To be used in a drop attack. Instead of transplanting target queues to USB drives loaded with Malware, an attacker could drop a maliciously crafted AirTag.
This type of attack doesn’t require a great deal of technological knowledge – the attacker simply writes a valid XSS into the AirTag’s phone number field, then puts the AirTag into Lost mode and drops it somewhere the target is likely to find it. In theory, scanning a lost AirTag is a safe procedure – a web page should only appear at https://found.apple.com/. The problem is that found.apple.com then embeds the contents of the website’s phone number field as displayed in the victim’s browser, without it being patched.
Rauch explained that the most obvious way to exploit this vulnerability is to use simple XSS to bring up a fake iCloud login dialog on the victim’s phone. This doesn’t take much at all in the way of the code.
If found.apple.com innocently included the above XSS in the response to the scanned AirTag, the victim will get a popup showing the contents of badside.tld/page.html. This could be a zero-day exploit of the browser or just a phishing dialog. Rauch assumes there is a fake iCloud login dialog, which can be made to look just like the real thing – but forces the victim’s Apple credentials to the target server instead.
Although this is a compelling exploit, it is by no means the only one available – everything you can do with a web page is on the table and available. This ranges from simple phishing as shown in the example above to exposing the victim’s phone to a file zero day Browser Don’t Click highly impressionable.
More technical details – and simple videos showing both the vulnerability and network activity resulting from the Rauch exploit – are publicly available at Rauch disclosure on average.
This is the public disclosure Apple brought to you
Rauch told Krebs that he initially disclosed the vulnerability privately to Apple on June 20, but for three months, the whole company told him it was “still investigating.” This is a strange response to what appears to be a very simple bug to check and mitigate. Last Thursday, Apple sent Rauch an email to say the vulnerability will be addressed in an upcoming update, and asked him not to talk about it publicly in the meantime.
An apple He never responded to Rauch’s basic questions, such as whether he had a timeline for fixing the bug, whether he planned to give him credit for the report, and whether He will be eligible for a reward. Lack of communication from Cupertino pushed Rauch to leave general On Medium, despite the fact that Apple requires researchers to remain silent about their discoveries if they want credit and/or compensation for their work.
Rauch expressed his willingness to work with Apple, but asked the company to “provide some details about when you plan to fix this, and whether there has been any acknowledgment or payment of an error reward.” He also warned the company that he plans to publish in 90 days. Rauch says Apple’s response has been “basically, we’d be grateful if you didn’t leak this.”
We have reached out to Apple for comment.
This story originally appeared Ars Technica.
More great wired stories