NEWS
iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites
3654
2018-03-27
Posted by 3uTools

A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains. 

In a 
new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website. 

iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters: 

  • The URL embedded in the QR code is: https://xxx\@facebook.com:443@infosec.rm-it.de/ 

  • But if you tap it to open the site, it will instead open https://infosec.rm-it.de/ 

  • The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects “xxx\” as the username to be sent to “facebook.com:443”. While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.


iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices. 



Source: macrumors

Related Articles
Apple Still Signing iOS 11.3 Beta 5/6, Downgrade to It to Jailbreak Your iPhone How to Download Apple’s Official iOS IPSW with One Simple Step? Backup Your iOS Device When It's Disabled or in Password in Normal Mode ICCID Activation Bug can Factory Unlock Any iPhone with a Turbo SIM iOS 17 Update Now Available for iPhone With Better Autocorrect, StandBy, Interactive Widgets, Much More How to Jailbreak iOS 11– iOS 11.4.1 Using Electra Jailbreak on iPhone or iPad iFixit Releases Fun x-ray and Internal Wallpapers for iPhone XR Apple Begins Selling Refurbished iPhone 12 Mini in U.S. For First Time