Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens and more thanks to XSS.
An unpatched stored cross-site scripting (XSS) bug in Apple’s AirTag “Lost Mode” could open up users to a cornucopia of web-based attacks, including credential-harvesting, click-jacking, malware delivery, token theft and more.
That’s according to Bobby Rauch, an independent security researcher who said that it’s possible to use the zero-day to fully weaponize an AirTag, with the ability to attack random strangers (or specific targets) should they interact with it.
Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. An attack then only requires that a victim visit a compromised web page.
A word about how AirTags work: Apple’s AirTags are personal tracking devices that can be attached to keys, backpacks and other items. If an AirTagged item is lost and nearby, a user can “ping” the AirTag, which will emit a sound and allow it to be tracked down. If it’s further afield (left behind in a restaurant, etc.), the AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in Apple’s