The Apple AirTag was created so that a person who has lost it can find it using a search through the “Locator”. Apple also equipped the label with “Lost Mode”. When enabled, the device generates a special URL that transmits the owner’s phone number and email.
A new study by KrebsOnSecurity has confirmed that any arbitrary code can be entered in the Lost Mode phone number field. It can redirect users to a fake iCloud page, or to any other site.
The vulnerability researcher reported the bug to Apple, and the company asked him not to release the information to the public. However, several months have passed since the appeal, and Apple has not responded to his inquiries about the progress of the investigation into fixing the vulnerability. Therefore, he decided to share information with the media.
In order for AirTag to redirect you to a “malicious site”, you need to scan the tag. At the same time, it should be borne in mind that a label without malicious program code will immediately show the data provided by its owner, without the need to log into iCloud or any other sites.
A source: MacRumors