Keeps hitting Coming to Apple’s Bug-Bounty program, security researchers say its vulnerabilities are slow and inconsistent in responding to reports.
This time, Good day Failed to sanitize a user-input field বিশেষ specifically, the phone number field Airtag owners Use them to locate lost devices.
Security consultant and penetration tester Bobby Rauch discovered that Apple Air tagsSmaller devices can be fitted into frequently lost items such as laptops, phones or car keys – without sanitizing user input. This supervision opens the door Air tags Will be used in drop attacks. Target parking lot instead of loading with USB drive Malware, An attacker can throw off maliciously prepared airtags.
This type of attack does not require much technical knowledge – the attacker simply types the valid XSS in the case of the airtag’s phone number, then puts the airtag in lost mode and is more likely to find the target. Theoretically, scanning a lost airtag is a safe move – it’s just supposed to pop up a webpage at https://found.apple.com/. The problem is that the content of the phone number field on the find.apple.com website is shown in the victim’s browser, which is crude.
The most obvious way to exploit this vulnerability, Rauch says, is to use plain XSS to pop up a fake iCloud login dialog on the victim’s phone. It doesn’t take much at all in the way of code.
If find.apple.com innocently embeds XSS in response to scanned airtags, the victim gets a popup window that displays the contents of badside.tld / page.html. This could be a zero day exploit for the browser or just a phishing dialog. Rauch assumes a fake iCloud login dialog, which can be made to look like the real thing – but that throws the victim’s Apple credentials into the target’s server.
While this is a mandatory exploit, it is by no means the only one available – everything you can do with a webpage is on the table and available. It starts with simple phishing and is shown in the example above so that the victim’s phone can be revealed from A to Z. Zero day No click browser Weakness.
More technical details – easy video to show both vulnerabilities and vulnerabilities, and network activity by exploiting Rouch’s vulnerabilities R Rouch to the public Revealed In the medium.
Apple has brought this publication for you
Rauch told Krebs that he initially personally revealed the vulnerability to Apple on June 20, but for three months all companies would tell him it was still investigating. This is a strange response to what seems to be a very simple bug to verify and mitigate. Last Thursday, Apple emailed Rouch saying the vulnerability would be fixed in an upcoming update and asked that he not speak publicly about it.
Apples Rauch did not answer the basic questions asked, such as whether there was a deadline for bug fixes, whether there were plans to credit him for the report, and Will qualify for a favor. Lack of communication from Cupertino persuaded Rauch to go Public In the medium, despite the fact that Apple researchers want credit and / or compensation for their work, they need to remain silent about their discovery.
Rauch is willing to work with Apple but asked the company to “provide some details on when you plan to remedy this, and whether there will be any recognition or bug bounty payments.” He also warned the company that he plans to release within 90 days. Rauch said Apple’s response was “basically, if you don’t leak it, we’ll appreciate it.”
We reached out to Apple for comment.
This story was originally published Ars technique.
More great cable stories