The researchers said, according to the report, that the vulnerability was first discovered in May 2019. They then reported them to Apple, but no fix was introduced according to the report.
Apples AirDrop Function iPhone, iPad and MacBook is very useful for those who want to share files and pictures with others Apple Equipment. However, security researchers have reportedly discovered a bug in AirDrop that could leak users’ phone number and email address to strangers. A report from 9to5Mac says the bug was discovered by researchers at the Technical University of Darmstadt. The researchers said, according to the report, that the vulnerability was first discovered in May 2019. They then reported them to Apple, but no fix was introduced according to the report.
According to the researchers, the problem is due to two problems. AirDrop has a Contacts Only option that requires Apple devices to ask for personal information from any device within range. The researchers then determined: “Since confidential data is usually only passed on to people who users already know, AirDrop only shows recipient devices from the address book contacts By default. To determine if the other party is a contact, AirDrop uses a mutual authentication mechanism that compares one user’s phone number and email address with entries in the other user’s address book. ”
The other problem is that while the data shared on AirDrop is encrypted, research claims Apple has “a relatively weak hashing mechanism”. According to the researchers, it is possible to find out the phone numbers and email addresses of AirDrop users – even as complete strangers. “All you need is a Wi-Fi enabled device and physical proximity to a target, which initiates the discovery process by opening the shared area on an iOS or macOS device.”
The problem is reportedly that Apple uses “hash functions” to “obscure” the phone numbers and email addresses exchanged during the detection process.
The researchers say they tried to offer Apple a solution to the problem as well, but the company didn’t fix it.