[asiachick]

I'm sure I could design codes people would scan. Ideas "dog lost, scan to help". "win free iPad at Apple [Apple Logo] offical back to school give-away for education [QR]" "50% off Coke [QR]" etc... and just make up a domain "officialapplecontest.com", "couponsforcoke.com" etc..

[iforgotpassword]

Sure, you could do that an get some people to fall for that. But in the end, you can just call them stupid for scanning random qr codes and then entering private information. No involvement by Apple.

An airtag is a product by a big company, claiming to be trustworthy. Claiming their products are safe. You are actually told by Apple to scan those airtags, made by them. So you find an Apple airtag, scan it with your Apple iPhone, and an Apple login form is presented to you. Way, way different from that qr code scenario.

[eCa]

No, you can’t get me to scan a qr code found in the wild.

It’s on Apple to convince us that it is safe to scan Airtags. And currently their messaging is that they don’t care?

Then I ain’t scanning no Airtag.

[rjmunro]

This isn't an Airtag bug as such. This is a bug in displaying user information on Apple's website, it just happens to be in the part that was made for Airtags to link to. It's a simple XSS vulnerability.

The fact that Apple let such a stupid bug into their web site is worrying enough. The fact that they don't acknowledge and fix it within hours, when reported to them via their bounty program means that it's not just "don't scan Airtags" you should be thinking, it's "don't visit apple.com / icloud.com / other Apple websites"

[fortran77]

> The fact that Apple let such a stupid bug into their web site is worrying enough.

Those recent articles about large groups of employees pushing the company to take stands on anything but work-related matters makes me wonder if the sane, competent employees have either left or have "mentally checked out."

See: https://www.nytimes.com/2021/09/17/technology/apple-employee...