KEY POINTS

  • Apple devices could leak owners' phone number and email address
  • The vulnerability was reported to Apple almost two years ago
  • Apparently, Apple has neither acknowledged the problem nor confirmed that it is working on a fix

Security researchers recently discovered Airdrop, a feature available on iPhone and Mac, is leaking users' phone numbers and emails.

AirDrop allows users to share documents, photos and other files between nearby Apple devices using WiFi and Bluetooth. With these connectivity features turned on, Apple device users could discover each other's devices, connect and share. However, the "discovery" process could leave Apple devices open to possible data pirates, according to computer science researchers at the Technical University of Darmstadt in Germany.

In a recently released warning, the researchers said that strangers within range of the device could learn about the email address and phone number of the device whose owner opens its sharing function. This is because the file-sharing process requires authentication. During this process, AirDrop checks phone numbers and email addresses against the other device's user's address book.

iphone-410324_1920
Representation. One of Liu's WeChat contacts took screenshots of Liu's post and publicly denounced it on Weibo, another Chinese social media platform. Pixabay

Researchers said that a connection with other Apple devices is not necessary for malicious attackers to eavesdrop. All that is needed to execute the exploit is a WiFi device and physical proximity to a target that can trigger the discovery process by opening the sharing pane of a macOS or iOS device.

That alone represents a "severe privacy leak," the researchers believe. While it is true that data shared in Airdrop authentications feature privacy protections, it could be easily reversed using simple techniques that hackers are well-aware of.

According to researchers, "hash values can be quickly reversed using simple techniques such as brute-force attacks." Phone numbers and email addresses in the hands of the wrong persons could put the owners at risk of phishing and other scams. Apple has been informed about this vulnerability almost a couple of years ago.

However, the researchers claimed that the Cupertino tech giant "has neither acknowledged the problem nor indicated that they are working on a solution." they said. "This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks, " they noted.

The only thing to prevent AirDrop from leaking email addressed and phone numbers of iPhone, iPad and Mac users is by disabling the feature. To do this, Apple device users should go to Settings, General, AirDrop and select Receiving Off.