Hacker News new | ask | show | jobs
by alexatalktome 1730 days ago
I think the intended attack is to fake an apple login page with the link. You open an actual apple.com page first when you find a tag - so pretty safe to scan - then if you open the link you’ll get an apple login page. Not suspicious.

Now you’ve phished the apple credentials off someone thinking they’re helping find you lost keys. Less people would scan a random QR code they found. And even fewer would mistake it for a real apple login and feel compelled to login.
1 comments
asiachick 1730 days ago
I'm sure I could design codes people would scan. Ideas "dog lost, scan to help". "win free iPad at Apple [Apple Logo] offical back to school give-away for education [QR]" "50% off Coke [QR]" etc... and just make up a domain "officialapplecontest.com", "couponsforcoke.com" etc..
link
iforgotpassword 1730 days ago
Sure, you could do that an get some people to fall for that. But in the end, you can just call them stupid for scanning random qr codes and then entering private information. No involvement by Apple.

An airtag is a product by a big company, claiming to be trustworthy. Claiming their products are safe. You are actually told by Apple to scan those airtags, made by them. So you find an Apple airtag, scan it with your Apple iPhone, and an Apple login form is presented to you. Way, way different from that qr code scenario.

link
eCa 1730 days ago
No, you can’t get me to scan a qr code found in the wild.

It’s on Apple to convince us that it is safe to scan Airtags. And currently their messaging is that they don’t care?

Then I ain’t scanning no Airtag.

link
rjmunro 1730 days ago
This isn't an Airtag bug as such. This is a bug in displaying user information on Apple's website, it just happens to be in the part that was made for Airtags to link to. It's a simple XSS vulnerability.

The fact that Apple let such a stupid bug into their web site is worrying enough. The fact that they don't acknowledge and fix it within hours, when reported to them via their bounty program means that it's not just "don't scan Airtags" you should be thinking, it's "don't visit apple.com / icloud.com / other Apple websites"

link
fortran77 1730 days ago
> The fact that Apple let such a stupid bug into their web site is worrying enough.

Those recent articles about large groups of employees pushing the company to take stands on anything but work-related matters makes me wonder if the sane, competent employees have either left or have "mentally checked out."

See: https://www.nytimes.com/2021/09/17/technology/apple-employee...

link