This is according to a report from KrebsOnSecurity where it was discovered that when the AirTag’s Lost Mode is enabled, Apple doesn’t actually check to see if computer code has been entered into the phone number field. What this means is that if someone found a malicious AirTag and scans it with their phone, it could create a popup which could then direct users to a phony iCloud login page.
Users who think that they’re doing a good deed might then enter their Apple ID credentials to try and help, but could end up having their login information stolen instead. Speaking to KrebsOnSecurity, Bobby Rauch, who discovered the vulnerability, said that he had informed Apple about it.
While Apple did acknowledge the issue and stated that it would be fixed in an upcoming update, they did not respond when asked about a timeline for fixing it, if he would be credited, or if his discovery would qualify him for Apple’s bug bounty program. This seeming lack of communication is one that other developers and researchers have been frustrated with.
Just recently a researcher was forced to go public with his findings after submitting them to Apple but got no response from them. Following the unwanted attention, Apple later acknowledged it and said that they were still looking into it.