A vulnerability in the way iOS’ camera app handles QR codes could potentially result in users being unknowingly redirected to malicious destinations.
Per 9to5Mac, security researcher Roman Mueller of Infosec recently discovered that a flaw in the camera app’s automatic QR code scanning function could result in it displaying a link and then sending users somewhere else if they click it. Mueller provided an example of the bug in question in which an iPhone-scanned QR code displays a link to Facebook.com via the Safari browser, but actually sends users to his own site:
If you scan [the QR code below] with the iOS (11.2.1) camera app, it will show this notification:
Open “facebook.com” in Safari
But if you tap it to open the site, it will instead open https://infosec.rm-it.de/
Mueller tweeted a gif of what this looks like in practice:
To achieve this result, all that’s needed is to have the QR code embed a link in this format:
Mueller offered this explanation for why the trick works:
The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.
It probably detects “xxx\” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.
Any user who scanned the code would see a prompt that they’re about to go to Facebook, and instead end up on the Infosec website. It’s not hard to imagine how this could be used to redirect users to scam websites or malware. Malicious QR codes might not seem to be at the top of the list when it comes to security vulnerabilities, especially since they can already be used to trick users into clicking on redirects using a URL-redirecting service like Bitly. But anyone can easily create such a code and then spread it either physically or via any website that allows image hosting, which is pretty much all of them, and this trick can fool users into thinking they’re going to a legitimate site even if they’re wary enough not to click on a Bitly link.
According to Mueller, he notified Apple of the bug on December 23rd, 2017, and the bug was still not patched as of March 24th, 2018, a few days after the latest iOS update. In any case, until this bug is fixed iPhone users may want to be even more judicious than normal when clicking on QR codes, especially since jerks tend to jump on iOS bugs like the infamous Telugu bug to wreak havoc as soon as they’re identified. ZDNet reports iOS 11.3 may arrive as soon as Tuesday, so it’s possible this exploit could be killed off in the very near future.