Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens and more thanks to XSS.
Threatpost