A Security flaw in AirTags from Apple. This would make it possible to modify the web address to which they redirect after activating the lost mode to be used as a tool to launch phishing attacks. So, even though it is something that could affect few users, it is important that you know about it to avoid any possible unpleasant situation. So that performing the good deed of trying to return it to its owner does not become a nightmare.
Beware of the AirTags you find
The utility of Apple AirTag or their alternatives for locating lost items It is something that practically no one doubts at this point in the film. There are already many examples that we have seen and they have shown with different experiences how practical this type of location beacons can be.
In the case of AirTags, there are already many who have managed to recover their lost personal belongings or who did not know where they had left them for the last time. Also those who have managed to find them after being stolen by lovers of foreign things and even those who have carried out experiments as curious as seeing the route of a package to which an AirTag was attached.
However, when a product of this type offers so much power and becomes something with great depth among a good number of users, it is logical that bad uses are sought for it. One of them, in addition, can be carried out due to a security problem that could put any user at risk who read the information they offer when the lost mode is activated.
According to security expert Bobby Rauch, the phone field can be modified and enter a web address with which to execute a phishing attempt.
And it is that, when reading the AirTag with a mobile with NFC, it would be sent to a website to log in to iCloud and thus steal the account.
How the lost mode of the AirTag works
To avoid phishing attacks through the use of AirTags It is important to know how they work, especially when it comes to reading them with your iOS or Android mobile to return it to its owner. Because it would not be fair to lose your account and all that this implies for trying to carry out a good deed.
The lost mode is something that the user configures in the event that they lose the AirTag and with it the personal object that they attach it to. When you lose it, you can go to the Find My website and activate this mode so that it emits a sound and, in the worst case, shows a message to whoever reads the information using your phone with NFC technology.
That message that can be personalized would show the phone number or even a website to connect with the owner to return the object. Well, according to Apple's documentation, that information should be the phone number and some comments with instructions, but never a website, much less one that asks for iCloud login.
Apple never asks to sign in to iCloud to contact the owner of an AirTag. So this security flaw and risk that it implies is solved, for now, knowing that you do not have to provide either an iCloud username or password.
Apple is already working on the solution
Apple seems to be working on a solution to avoid this type of problem. Logically, others may appear, but for now it is important to know those that already exist. Especially if you are AirTag users and you want to help someone who may lose a personal item to use it and have it when they find it.