A security researcher is sounding the alarm on an AirTag vulnerability that could allow a hacker to lead unsuspecting users to an iCloud phishing page.

The problem persists in AirTag’s Lost Mode, which allows someone who finds a stranded AirTag to take steps to locate it and return it to the user. When the owner enables Lost Mode, it can display a phone number or address on a specialized found.apple.com website. Apple’s Lost Mode doesn’t currently stop users from injecting arbitrary computer code into its phone number field, which could lead an unsuspecting AirTag retriever to a phishing site.

The most common threat would be to add code that sends users to a phishing site that mimics Apple’s iCloud login site and tricks people into typing in their username and password. The report compares the vulnerability to a malware-laden USB stick that someone finds and plugs into their computer.

A weaponized AirTag tracking device could be used to redirect the Good Samaritan to a phishing page, or to a website that tries to foist malicious software onto her device.

Apple’s AirTag is a Bluetooth tracking device that can attach to another device using a ring or key tag. It lets users track non-Apple devices in the Find My app and locate items with pinpoint accuracy using ultra-wide band technology.