If you lose an AirTag the person who finds it can use their iPhone to access a website where they can obtain contact information from the owner such as email address or telephone number.
The finder can then report that they have found the lost tag - a process that doesn't require them to provide their own personal data. The Finder just needs to visit Apple's found.apple.com website here where they can register the find completely anonymously.
AirTag found: What to do?
However, as KrebsOnSecurity reports, AirTags (reviewed here) can be manipulated in such a way that they can deceive unsuspecting finders and lure them to a fake website where they are then asked to enter their iCloud data and thus hand it over to criminals. Forwarding to malicious websites is also possible with manipulation in the phone number field.
Security researcher Bobby Raunch, who discovered the gap, explained to KrebsOnSecurity the danger of the gap: "I can't remember any other case in which such small, inexpensive consumer tracking devices could be used as weapons". Also read: AirTag already hacked and reprogrammed.
Apple reacts hesitantly - once again
Apple has been informed since mid-June and has investigated the gap since then. However, a promised update to close the gap has still not been released.
This recalls the case of the gaps discovered by security expert Denis Tokarev and reported to Apple that the company has still not closed. According to Vice, Apple apologized to Tokarev in an email and justified the long silence by saying the gaps are still being investigated in order to find the best possible protection for users.
The gaps discovered by Tokarev are not highly critical, to exploit them if you would need an app that was not detected as malware during the admission check. Since Apple has been aware of the gaps since spring, such a scenario is at least unlikely - but Tokarev would have deserved the reward offered under Apple's bounty program.
In terms of lost and possibly manipulated AirTags, the usual warning applies: Never disclose personal data - your contact with the owners of the trackers should be completely anonymous.
This article originally appeared on Macwelt. Translation by Karen Haslam.