An iOS QR code reader vulnerability could lead you to malicious websites

If you regularly use your phone to scan QR codes, be careful — you may not be headed to the site you think you are.

iOS 11 brought us many wonderful features, including the ability to read QR codes using the iPhone's native camera app instead of a third-party QR code reader. Unfortunately, according to a report by Infosec, there is a vulnerability in the iOS camera's reader that is pretty easily exploited, taking you to a malicious website without your knowledge.

Basically, when you scan a code that's meant to lead you to a certain site, the site's URL will appear in a pop-up that you need to tap in order to visit the page displayed. However, Infosec found that if you embed a URL in a QR code in a certain format, you can essentially fool the reader, causing it to display one URL but take you to another one entirely. By inputting the "fake" URL and actual URL into the QR code like this ...

https://xxx\@facebook.com:443@infosec.rm-it.de/

... individuals can exploit the vulnerability and — in this particular case — make the user believe that they're headed to Facebook when in reality, they're headed to the Infosec website.

The article hypothesizes that this occurs because the hostname is able to slide under the radar of the URL parser of the camera app in a way it isn't able to in Safari:

It probably detects "xxx\" as the username to be sent to "facebook.com:443". While Safari might take the complete string "xxx\@facebook.com" as a username and "443" as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.

Apparently, Infosec made Apple aware of this vulnerability in December of last year, but the company has yet to provide any sort of fix or response.

If you want to (safely) try it for yourself, you can scan Infosec's QR code below.

Questions?

Have you encountered this exploit while scanning a QR code? Share in the comments below.

Tory Foulk

Tory Foulk is a writer at Mobile Nations. She lives at the intersection of technology and sorcery and enjoys radio, bees, and houses in small towns. When she isn't working on articles, you'll likely find her listening to her favorite podcasts in a carefully curated blanket nest. You can follow her on Twitter at @tsfoulk.

6 Comments
  • Has this vulnerability been patched yet? If not, is it smart to tell everyone HOW they can exploit the vulnerability?
  • It's already public how to exploit the vulnerability, iMore wouldn't report it otherwise. Besides, the more publicity, the more likeliness of Apple fixing it
  • I tested this myself on iOS 11.3 Public Beta and though the camera app's UI says "facebook.com" as part of the URL that it detects, once the URL is opened in Safari the real URL is displayed namely "infosec.rm-it.de". Basically, once you're in Safari you're going to notice that something isn't right. Does this needs to be fixed? Definitely. But if you pay enough attention you're going to be able to know what happened. This isn't a "the sky is falling" kind of thing.
  • It's more of a bug than a vulnerability, so it's not surprising Apple hasn't fixed this yet. Who goes around sending QR codes to phish people anyway? Maybe this is a judgemental thought, but if you know how to scan a QR code, you probably know to recognise if the URL is wrong.
  • I hadn't even used the native IOS scanning until reading this article. Usually, I use Scan app, and when it hits this QR code, it stalls at a page that shows the actual URL without loading the page. So guess I'll keeping doing this way until the native function is fixed.
  • It's not a serious vulnerability, it just has the possibility to take you to a different website than what is initially shown (you can also see this happening in the URL bar when Safari opens).