A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains.
In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.
Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:
In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.
Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:
The URL embedded in the QR code is: https://xxx\@facebook.com:443@infosec.rm-it.de/iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices.
But if you tap it to open the site, it will instead open https://infosec.rm-it.de/
The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects “xxx\” as the username to be sent to “facebook.com:443”. While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.
Apple iOS camera app doesn't properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed: https://t.co/EMQk7uBQ9i pic.twitter.com/KE6EwYhj7s
— @faker_ Roman (@faker_) March 24, 2018
34 comments
Top Rated Comments
(View all)
14 months ago
My god... It’s like we’re at war against vulnerabilities. I swear by 2020, I’ll probably disconnect from the online world completely.
I saw your post and thought about it for a moment and concluded:
Apple today announced a voluntary recall of three-prong AC wall plug adapters designed for use primarily in Hong Kong, Singapore, and the United Kingdom.
Apple states that, in very rare...
A number of iPhone and iPad users this morning are taking to Twitter and Reddit to report an issue with the App Store that prevents them from downloading or updating apps.
The problem starts...
The next couple of years will see the rollout of 5G cellular phone networks from companies like Verizon, AT&T, Sprint, and T-Mobile, and it sounds like 5G smartphone plans might not be priced in...
Apple continues to dominate when it comes to customer support, according to Laptop Mag's annual tech support showdown, which is designed to help customers determine which companies are offering...
On April 24, 2015, the original Apple Watch launched in nine countries around the world. Four years later and we are now on the fourth iteration of the wearable device, the Apple Watch Series 4. Over...
Earlier this month, Bloomberg shared details on the thousands of employees that Amazon employs around the world to listen to voice recordings captured in the homes of Amazon Echo owners when the...
Tomorrow marks a month since Apple announced its Apple News+ subscription service, which means if you signed up on March 25 following the event, you're going to start getting charged $9.99...
A class action lawsuit originally filed against Apple in 2013 over broken iPhone 4, iPhone 4s, and later iPhone 5 power buttons is finally set to proceed to jury trial in San Diego state court...
