The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the AirTag has been set to lost mode.

All sounds good, but like many things it does not appear to have been thought through. The research shows this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page -- or to any other malicious website.

Setting the Air Tag  to Lost Mode generates a unique URL at https://found.apple.com/ and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner's message.

When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number. This information pops up without asking the finder to log in or provide any personal information. But your average Good Samaritan might not know this. That's important because Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field -- such as code that causes the Good Samaritan's device to visit a phony Apple iCloud login page.

The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly amazingly effective physical trojan horses.