Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS)

Photo by Daniel Romero on Unsplash

Apple’s “Lost Mode” allows a user to mark their Airtag as missing if they have misplaced it. This generates a unique page, which contains the Airtag’s serial number, and the phone number and personal message of the Airtag owner. If any iPhone or Android user happens to discover a missing Airtag, they can scan it (through NFC) with their device, which will open up the Airtag’s unique page on their device.

Screenshot by Jason Cipriani/CNET

An attacker can carry out Stored XSS on this page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field. A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page. Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.

Reproduction Steps to create a weaponized Airtag:

2. An attacker intercepts this request, and injects this malicious payload into the phone number field:

<script>window.location=’’;var a = ‘’;</script>

This XSS code above will redirect a victim to the attacker’s fake iCloud page, which has a keylogger installed to capture their credentials.

3. A victim then discovers the lost Airtag. They open up their Find My app, and scan the Airtag.

4. This opens up the generated page. The victim is immediately redirected to the malicious attacker page, which is a direct clone of one of the login pages.

5. The victim enters their iCloud credentials, which are immediately exfiltrated to the attacker’s server.

The above walkthrough outlines only one example of the dangers of Stored XSS. There are countless ways an attacker could victimize an end user who discovers a lost Airtag. Since Airtags were recently released, most users would be unaware that accessing the page doesn’t require authentication at all. The link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support “Lost Mode” as part of Apple’s Find My network.