A vulnerability in the QR Coder Reader that is built-in to the iOS 11 Camera app could direct users to a malicious website without their knowledge.
iOS 11 added a feature to the Camera app that allows users to point the camera lens of their iPhone at a QR code and the app will load and act upon the instructions embedded in the code. This can include an embedded URL. While iOS first asks the user to confirm whether they want to visit the website.
However, the flaw in the app can allow the QR code to actually send you to a different URL than the one that’s being displayed.
Infosec demonstrates how it works:
If you scan [the QR code below] with the iOS (11.2.1) camera app, it will show this notification:
Open “facebook.com” in Safari
But if you tap it to open the site, it will instead open https://infosec.rm-it.de/
The website demonstrates how it all works, by providing a QR code that appears to be sending you to Facebook.com, but instead sends you to a benign URL set up by Infosec for the purpose of demonstrating the flaw. You can try it here.
The flaw can be exploited by crafting the URL in the following manner:
When crafted in this manner, the first URL is the one displayed by the iOS 11 Camera app QR Code Reader, but the second URL is the one that you’re taken to.
Infosec says the flaw was reported to Apple on December 23, 2017, but still hasn’t been fixed. We’ll keep you posted.