Image: Medium vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. But your average Good Samaritan might not know this.That’s important because Apple’s Lost Mode doesn’t currently stop users from injecting arbitrary computer code into its phone number field — such as code that causes the Good Samaritan’s device to visit a phony Apple iCloud login page.A sample “Lost Mode” message. This information pops up without asking the finder to log in or provide any personal information. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner’s message.When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number. Setting it to Lost Mode generates a unique URL at , and allows the user to enter a personal message and contact phone number. With a seemingly endless amount of pc protection solutions to choose from, it can be hard to make sure you get the right product for you.The AirTag’s “Lost Mode” lets users alert Apple when an AirTag is missing.In 2008, a cyber attack described at the time as “the worst breach of U.S. And Israeli cyber hackers got the infamous Stuxnet worm into the internal, air-gapped network that powered Iran’s nuclear enrichment facilities a decade ago. A USB stick with malware is very likely how U.S. Odds are that sooner or later some employee is going to pick that sucker up and plug it into a computer — just to see what’s on it (the drive might even be labeled something tantalizing, like “Employee Salaries”).If this sounds like a script from a James Bond movie, you’re not far off the mark.
![]() ![]() ![]() But he said neither is it difficult to fix this particular flaw, which requires additional restrictions on data that AirTag users can enter into the Lost Mode’s phone number settings.“It’s a pretty easy thing to fix,” he said. My request was ignored so I’m doing what I said I would.'”Rauch said he realizes the AirTag bug he found probably isn’t the most pressing security or privacy issue Apple is grappling with at the moment. “In illusionofchaos’ own words: ‘Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. Earlier this week, a security researcher who goes by the handle “illusionofchaos” released writeups on three zero-day vulnerabilities in Apple’s iOS mobile operating system — apparently out of frustration over trying to work with Apple’s bug bounty program.Ars Technica reports that on July 19 Apple fixed a bug that llusionofchaos reported on April 29, but that Apple neglected to credit him in its security advisory.“Frustration with this failure of Apple to live up to its own promises led illusionofchaos to first threaten, then publicly drop this week’s three zero-days,” wrote Jim Salter for Ars. Install office 2011 mac for all users or hard driveMost should display the plaintext destination/action, and prompt to allow or block.In this case, it might not matter much since found.apple.com is not going to raise red flags.But I do remember finding writable NFC tags embedded in the tables at Panera Bread. Bad security and pretty stupid.But there is still the problem of scanning NFC tags or QR codes and have the phone OS, or the App, automatically take you to a website. The story above has been changed to reflect that.This entry was posted on Tuesday 28th of September 2021 11:49 AMYes, this is a serious bug in Apple’s web site, to allow XSS in the phone number field. Scan Usb For Malware On Mac Rumours YesterdayThat’s plenty of time to grasp the internal issues and release a robust action plan.This response is not OK. The customer just places the device on the table (over the label with the tag embedded underneath) when they sit down after ordering.There are also printers with NFC tags built in that automatically open up that vendor’s printer app on the phone when scanned.When they leave the writable flag on, it’s only a matter of time until someone rewrites the tag to send everyone to a Rick Astley Youtube video.I think Apple has a systemic/cultural issue to deal with as it’s had a lot of these white hat flubs and snubs being reported lately.I wrote this comment at Mac Rumours yesterday building on my original comment there after the WaPo news dropped:Given the import of the issue itself and the attention it has received, this is an issuer deserving of a CEO-level response with an apology and an action plan to fix the issue.It’s nonsense that some lower level employee responded with vague reassurances of an ongoing investigation.The initial reports surfaced about 4 business weeks ago. Re-imagined so that the device would wirelessly send the food servers the your table number instead. There is no reason Apple couldn’t find most of it first if it doubled down on this.Apple is the richest company in the history of humanity. When Apple isn’t the first stop for exploits, in such cases the damage is done by the time such holes are closed and the crooks caught.For God’s sake, people have literally died and been hacked into pieces because of unpatched Apple bugs.And in the meantime Apple wants us to put our medical histories, identification, house and office keys in our devices…Yes we can blame NSO and FSB etc, but they are finding what is already there. Some are beyond US Justice, others it takes years to catch. Not every hacker is a white hat. There is no traditional business barrier to Apple doing what it needs to here.Not able to run a robust bug discovery program that draws the best and most submissions (and conversely staffing internally to handle these)? Apple is fully able.
0 Comments
Leave a Reply. |
AuthorSandy ArchivesCategories |