The researchers, as per the report, said that that the vulnerability was first spotted in May 2019. They flagged it to Apple then but a fix hasn’t been rolled out, as per the report.
Apple’s AirDrop feature on iPhone, iPad and MacBook is quite useful for those who want to share files, images to other Apple devices. Security researchers, however, have reportedly discovered a flaw in AirDrop that could reveal users’ phone number and email address to strangers. A report by 9to5Mac states that the flaw has been discovered by researchers at Germany’s Technische Universitat Darmstadt. The researchers, as per the report, said that that the vulnerability was first spotted in May 2019. They flagged it to Apple then but a fix hasn’t been rolled out, as per the report.
The problem, according to the researchers is down to two issues. AirDrop has a “Contacts only” option where Apple devices need to ask for personal data from all devices within range. Elaborating on this, the researchers noted, “As sensitive data is typically exclusively shared with people who users already know, AirDrop only shows receiver devices from address book contacts by default. To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.”
The other issue is that even though the data shared on AirDrop is encrypted, the researches claim Apple has a “relatively weak hashing mechanism”. According to the researchers, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. “All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
The problem reportedly is in Apple’s use of “hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process.”
The researcher say that they have tried to offer a solution to the issue as well to Apple but the company hasn’t fixed it.