A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains.

In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.

iphone qr code bug
Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:

The URL embedded in the QR code is: https://xxx\@facebook.com:443@infosec.rm-it.de/

But if you tap it to open the site, it will instead open https://infosec.rm-it.de/

The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects “xxx\” as the username to be sent to “facebook.com:443”. While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.

iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices.

For the QR code issue, Infosec said that it reported the problem to the Apple security team on December 23, 2017, and as of March 24, 2018 it has not yet been fixed.

Related Forum: iOS 11

Top Rated Comments

Aluminum213 Avatar
Aluminum213
66 months ago
At least we have Animojis!!!
Score: 9 Votes (Like | Disagree)
chrono1081 Avatar
chrono1081
66 months ago
My god... It’s like we’re at war against vulnerabilities.
This has always been the case and is completely normal. They're just more heavily publicized these days.
Score: 7 Votes (Like | Disagree)
scrapesleon Avatar
scrapesleon
66 months ago
iOS 11 belongs in the trash
Score: 7 Votes (Like | Disagree)
shareef777 Avatar
shareef777
66 months ago
Mentioning Spectre/Meltdown is disingenuous and poor writing. Those vulnerabilities have absolutely nothing attributed to Apple. Those are CPU related and every machine with an x86/arm cpu is susceptible to them.
Score: 6 Votes (Like | Disagree)
GaryMumford Avatar
GaryMumford
66 months ago
My gripe with this MR article is, Why do they have to specifically mention Meltdown and Spectre? This was not a 'specific' iOS11 bug! This affected almost every device running any platform from any manufacturer and is unrelated to specific iOS bugs (of which there are many!!)
Score: 6 Votes (Like | Disagree)
pete2106 Avatar
pete2106
66 months ago
It wouldn't be Monday without a new iOS11 vulnerability but hey, at least we have a new range of watch straps and TV shows to look forward to.
Score: 5 Votes (Like | Disagree)
Read All Comments

Popular Stories

maxresdefault

Apple Announces WWDC 2023 Event Taking Place June 5 to 9

Wednesday March 29, 2023 9:58 am PDT by
Apple today announced that its 34th annual Worldwide Developers Conference will take place from Monday, June 5 to Friday, June 9. Like WWDC 2020, 2021, and 2022, WWDC 2023 will be an online event for the most part, and it will be open to all developers at no cost. Subscribe to the MacRumors YouTube channel for more videos. Apple will provide online sessions and labs, which will allow...
Read Full Article201 comments
iPhone 15 Pro Buttons CAD Leak

iPhone 15 Pro Low-Energy Chip to Allow Solid-State Buttons to Work When Device is Off or Out of Battery

Wednesday March 29, 2023 1:54 am PDT by
The iPhone 15 Pro and Pro Max will use a new ultra-low energy microprocessor allowing certain features like the new capacitive solid-state buttons to remain functional even when the handset is powered off or the battery has run out, according to a source that shared details on the MacRumors forums. CAD-based render of new solid-state buttons on iPhone 15 Pro models The source of this rumor is ...
Read Full Article189 comments
CarPlay Phone Call

General Motors to Phase Out Apple CarPlay Starting This Year in EV Transition

Friday March 31, 2023 8:43 am PDT by
General Motors (GM) will phase out Apple CarPlay and Android Auto in its vehicles starting this year, shifting to a built-in infotainment system co-developed with Google (via Reuters). GM owns Buick, Cadillac, Chevrolet, and GMC in the United States. It will stop offering Apple CarPlay and Android Auto starting with the 2024 Chevrolet Blazer, which goes on sale this summer. The company plans ...
Read Full Article432 comments
iPhone 15 Pro Multi Purpose button Mute Switch Feature Green 2

iPhone 15 Pro Rumored to Feature Multi-Use Action Button Instead of Mute Switch

Wednesday March 29, 2023 7:28 am PDT by
iPhone 15 Pro and iPhone 15 Pro Max models are rumored to feature a customizable Action button like the Apple Watch Ultra, according to a MacRumors forum member who leaked accurate details about the Dynamic Island on iPhone 14 Pro models last year. The source claimed the Action button will replace the Ring/Silent switch that has been included on every iPhone model since 2007. They did not...
Read Full Article168 comments
iOS 16

iOS 16.4 Now Available for Your iPhone With These 8 New Features

Friday March 31, 2023 8:55 am PDT by
Following six weeks of beta testing, iOS 16.4 was released to the public this week. The software update includes a handful of new features and changes for the iPhone 8 and newer. To install an iOS update, open the Settings app on the iPhone, tap General → Software Update, and follow the on-screen instructions. Below, we have recapped eight new features and changes added with iOS 16.4,...
Read Full Article
iOS 17 on Phone Feature

Three New iOS Features Coming to Your iPhone Following Apple Music Classical

Thursday March 30, 2023 7:13 am PDT by
With the Apple Music Classical app and an Apple Pay Later early access program now available, the list of previously-announced iOS features that have yet to launch is beginning to shrink. However, there are still a few features we are waiting for. Below, we have recapped three more iOS features that are expected to launch in 2023, including an Apple Card savings account for Daily Cash,...
Read Full Article30 comments
apple mixed reality headset concept by david lewis and marcus kane

Kuo: Apple Mixed-Reality Headset May Not Appear at WWDC as Mass Production Pushed Back Yet Again

Thursday March 30, 2023 4:50 am PDT by
Apple has again pushed back mass production of its mixed-reality headset and the device may not appear at this year's Worldwide Developers Conference (WWDC), Apple analyst Ming-Chi Kuo today said. Apple headset concept by David Lewis and Marcus Kane In a tweet, Kuo explained that Apple "isn't very optimistic" about whether the headset will be able to create an "iPhone moment." As a result,...
Read Full Article389 comments