iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains.

In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.

iphone qr code bug
Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:

The URL embedded in the QR code is: https://xxx\@facebook.com:443@infosec.rm-it.de/

But if you tap it to open the site, it will instead open https://infosec.rm-it.de/

The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects “xxx\” as the username to be sent to “facebook.com:443”. While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.

iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices.

For the QR code issue, Infosec said that it reported the problem to the Apple security team on December 23, 2017, and as of March 24, 2018 it has not yet been fixed.

Related Forum: iOS 11

Popular Stories

iPhone 15 Pro Cameras

iPhone 17 Pro Max Will Be First Model to Feature Three 48MP Cameras

Thursday July 11, 2024 12:20 am PDT by
Next year's iPhone 17 Pro Max will feature an upgraded 48-megapixel Tetraprism camera for enhanced photo quality and zoom functionality, according to Apple analyst Ming-Chi Kuo. In his n-iphone-tetraprism-upgrade-ca62dd37e364">latest investor note published to Medium, Kuo said the key specification change would be a 1/2.6" 48MP CIS sensor, up from the 1/3.1" 12MP sensor expected to be used...
Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Monday July 8, 2024 5:00 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
maxresdefault

Apple's AirPods Pro 2 vs. Samsung's Galaxy Buds3 Pro

Saturday July 13, 2024 8:00 am PDT by
Samsung this week introduced its latest earbuds, the Galaxy Buds3 Pro, which look quite a bit like Apple's AirPods Pro 2. Given the similarities, we thought we'd compare Samsung's new earbuds to the AirPods Pro. Subscribe to the MacRumors YouTube channel for more videos. Design wise, you could potentially mistake Samsung's Galaxy Buds3 Pro for the AirPods Pro. The Buds3 Pro have the same...
primeday2020 feature3

The Best Early Prime Day Deals on Apple Products

Saturday July 13, 2024 6:23 am PDT by
Amazon is soon to be back with its annual summertime Prime Day event, lasting for just two days from July 16-17. As it does every year, Prime Day offers shoppers a huge selection of deals across Amazon's storefront, and there are already many deals you can get on sale ahead of the event. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may...

Top Rated Comments

Aluminum213 Avatar
82 months ago
At least we have Animojis!!!
Score: 9 Votes (Like | Disagree)
chrono1081 Avatar
82 months ago
My god... It’s like we’re at war against vulnerabilities.
This has always been the case and is completely normal. They're just more heavily publicized these days.
Score: 7 Votes (Like | Disagree)
scrapesleon Avatar
82 months ago
iOS 11 belongs in the trash
Score: 7 Votes (Like | Disagree)
shareef777 Avatar
82 months ago
Mentioning Spectre/Meltdown is disingenuous and poor writing. Those vulnerabilities have absolutely nothing attributed to Apple. Those are CPU related and every machine with an x86/arm cpu is susceptible to them.
Score: 6 Votes (Like | Disagree)
GaryMumford Avatar
82 months ago
My gripe with this MR article is, Why do they have to specifically mention Meltdown and Spectre? This was not a 'specific' iOS11 bug! This affected almost every device running any platform from any manufacturer and is unrelated to specific iOS bugs (of which there are many!!)
Score: 6 Votes (Like | Disagree)
pete2106 Avatar
82 months ago
It wouldn't be Monday without a new iOS11 vulnerability but hey, at least we have a new range of watch straps and TV shows to look forward to.
Score: 5 Votes (Like | Disagree)