iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains.

In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.

Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:

The URL embedded in the QR code is: https://xxx\@facebook.com:443@infosec.rm-it.de/

But if you tap it to open the site, it will instead open https://infosec.rm-it.de/

The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects “xxx\” as the username to be sent to “facebook.com:443”. While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.

iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices.

Apple iOS camera app doesn't properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed: https://t.co/EMQk7uBQ9i pic.twitter.com/KE6EwYhj7s
— @faker_ Roman (@faker_) March 24, 2018

For the QR code issue, Infosec said that it reported the problem to the Apple security team on December 23, 2017, and as of March 24, 2018 it has not yet been fixed.

Related Roundup: iOS 11

Top Rated Comments

(View all)

Aluminum213

4 weeks ago

At least we have Animojis!!!

Rating: 9 Votes

scrapesleon

4 weeks ago

iOS 11 belongs in the trash

Rating: 7 Votes

chrono1081

4 weeks ago

My god... It’s like we’re at war against vulnerabilities.

This has always been the case and is completely normal. They're just more heavily publicized these days.

Rating: 7 Votes

GaryMumford

4 weeks ago

My gripe with this MR article is, Why do they have to specifically mention Meltdown and Spectre? This was not a 'specific' iOS11 bug! This affected almost every device running any platform from any manufacturer and is unrelated to specific iOS bugs (of which there are many!!)

Rating: 6 Votes

shareef777

4 weeks ago

Mentioning Spectre/Meltdown is disingenuous and poor writing. Those vulnerabilities have absolutely nothing attributed to Apple. Those are CPU related and every machine with an x86/arm cpu is susceptible to them.

Rating: 6 Votes

pete2106

4 weeks ago

It wouldn't be Monday without a new iOS11 vulnerability but hey, at least we have a new range of watch straps and TV shows to look forward to.

Rating: 5 Votes

Heineken

4 weeks ago

Needs fixing, but not very dangerous.

Rating: 4 Votes

Dave-Z

4 weeks ago

"QR Reader" has a feature where it shows you the URL before confirming you want to navigate to it.

That's what the bug is. The URL shown is not the actual URL visited. I'm guessing a poorly formed regular expression when extracting the URL for displaying to the user.

This crap is typical Apple stupidity these days.

Rating: 2 Votes

GrumpyMom

4 weeks ago

My god... It’s like we’re at war against vulnerabilities. I swear by 2020, I’ll probably disconnect from the online world completely.

I saw your post and thought about it for a moment and concluded:

Rating: 2 Votes

eagle33199

4 weeks ago

When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.

Rating: 2 Votes

[ Read All Comments ]

Upcoming

Front Page Stories

• Apple Debuts New iPhone Recycling Robot Daisy and GiveBack Trade-In Program (76)

• Tim Cook Insists Merging Mac and iPad Would Result in Compromises (372)

• Apple May Offer Two 6.1-Inch iPhone Models in 2018 With Price Tag as Low as $550 (216)

• Apple Releases Second Beta of macOS High Sierra 10.13.5 to Public Beta Testers (51)

• Apple Registers Several New Unreleased iPhone Models in Eurasia Ahead of WWDC (120)

• iPhone X Responsible for 35% of Total Worldwide Phone Profits in Q4 2017 (332)

iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

Top Rated Comments

Upcoming

Front Page Stories

Apple Celebrates Earth Day With Ziggy Marley Concert, Apple Music Playlists, and $0.99 iTunes Movies Rentals

Apple Launches Battery Replacement Program for Non-Touch Bar 13-Inch MacBook Pro Models

U.S. Department of Justice Investigating Claims AT&T, Verizon and GSMA Colluded to Prevent Customers From Easily Switching Carriers [Updated]

Featured Apps in Revamped iOS 11 App Store Can See 800% Download Boost

New iPhone SE Could Launch in May With Touch ID and A10 Fusion, Without 3.5mm Headphone Jack

Apple Retail Store Logos Gain Green Leaves in Celebration of Earth Day

Greenpeace Criticizes Apple's 'Daisy' Recycling Robot, Says Focus Should be on 'Repairable and Upgradeable Product Design'

Apple Shares 2018 Environmental Report With Details on Daisy Recycling Robot, Progress on Closed-Loop Supply Chain

Our Staff

Links

Touch Arcade

YouTube