A vulnerability in the way iOS’ camera app handles QR codes could potentially result in users being unknowingly redirected to malicious destinations.
An iPhone user scans a QR code in Wuhan, China, in March 2017.Photo: Getty Images
Per 9to5Mac, security researcher Roman Mueller of Infosec recently discovered that a flaw in the camera app’s automatic QR code scanning function could result in it displaying a link and then sending users somewhere else if they click it. Mueller provided an example of the bug in question in which an iPhone-scanned QR code displays a link to Facebook.com via the Safari browser, but actually sends users to his own site:
If you scan [the QR code below] with the iOS (11.2.1) camera app, it will show this notification:
Open “facebook.com” in Safari
But if you tap it to open the site, it will instead open https://infosec.rm-it.de/
Mueller tweeted a gif of what this looks like in practice:
Apple iOS camera app doesn’t properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed: https://t.co/EMQk7uBQ9i pic.twitter.com/KE6EwYhj7s
— @faker_ Roman (@faker_) March 24, 2018
To achieve this result, all that’s needed is to have the QR code embed a link in this format:
https://xxx@facebook.com:443@infosec.rm-it.de/
Mueller offered this explanation for why the trick works:
The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.
It probably detects “xxx” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.
Any user who scanned the code would see a prompt that they’re about to go to Facebook, and instead end up on the Infosec website. It isn’t hard to imagine how this could be used to redirect users to scam websites or malware. Malicious QR codes might not seem to be at the top of the list when it comes to security vulnerabilities, especially since they can already be used to trick users into clicking on redirects using a URL-redirecting service such as Bitly. But anyone can easily create such a code and then spread it either physically or via any website that allows image hosting, which is pretty much all of them, and this trick can fool users into thinking they’re going to a legitimate site even if they’re wary enough not to click on a Bitly link.
According to Mueller, he notified Apple of the bug on 23 December 2017, and the bug was still not patched as of 24 March 2018, a few days after the latest iOS update. In any case, until this bug is fixed iPhone users may want to be even more judicious than normal when clicking on QR codes, especially since jerks tend to jump on iOS bugs such as the infamous Telugu bug to wreak havoc as soon as they’re identified. ZDNet reports iOS 11.3 may arrive as soon as this week, so it’s possible this exploit could be killed off in the very near future.