A significant security flaw has been discovered in Apple’s wireless file-sharing protocol which could lead to the exposure of a user’s contact information such as email addresses and phone numbers.

According to the team of academics from the Technical University of Darmstadt, Germany, it is possible for an attacker to get the phone numbers and email addresses of AirDrop users even if he is a complete stranger. All they need is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

AirDrop is a proprietary ad hoc service present in Apple’s iOS and macOS operating systems that let the users to transfer files between devices by utilizing close-range wireless communication.

This feature shows only receiver devices that are in users’ contact lists by an authentication mechanism that compares an individual’s phone number and email address with entries in the other user’s address book. However, the new issue defeats such protections with the help of a Wi-Fi-capable device and by just being in close physical proximity to a target.

The researchers stated that when an AirDrop connection is attempted between a sender and a receiver, the sender transmits over the air a message containing a hash, or digital fingerprint, of its user’s email address or phone number as part of an authentication handshake. If the sender is recognized in response, the receiver transmits back its hash.

The main issue lies in Apple’s use of hash functions for masking the exchanged contact identifiers — i.e., phone numbers and email addresses — during the discovery process.

It is possible for a malicious receiver to collect the hashed contact identifiers and unscramble them “in milliseconds” using techniques such as brute-force attacks. A malicious sender can also learn all the hashed contact identifiers, including the receiver’s phone number, without requiring any prior knowledge of the receiver.

The researchers have privately notified Apple of the issue as early as May 2019, and once again in October 2020 after developing a solution named “PrivateDrop” to correct the flawed design in AirDrop.

PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values.

However, as this bug has not been fixed, users of more than 1.5 billion Apple devices are vulnerable to such attacks.

According to the researchers the users can protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu.

The post Apple AirDrop bug could leak user’s personal information first appeared on Cybersafe News.

You May Also Like

Linux Kernel has a Remote Code Execution Zero Day Vulnerability with CVSS score of 10

The use after free vulnerability, which is linked to ksmbd, affects computers…

New exploit for critical vulnerabilities in Active Directory; Microsoft recommends that you patching ASAP

In its latest security alert, Microsoft asked its customers to apply available…

Patch this Internet Explorer zero day vulnerability (CVE-2022-41128) before North Korean hackers exploit it

A new zero-day vulnerability has been found by Google’s Threat Analysis Group…