A security firm has uncovered a potentially concerning bug with the iOS camera while scanning QR codes. This bug, spotted by Infosec, can basically redirect you to a malicious link although the link mentioned will be something else.
This issue has been reported to the Apple security team on December 23, 2017, but has not been fixed as of today. Now that the Apple blogosphere has highlighted this potentially serious vulnerability, Apple should hopefully release a fix soon.
The security firm illustrated the bug by creating its own link and QR code, mentioning that they will be redirected to Facebook, but instead opening Infosec’s website. This is just an example of how malware can be masked under other URLs to penetrate your device.
Apple has been relatively quiet on the matter, which is a bit of a surprise since this is an incredibly worrying bug for the users. Starting with iOS 11, Apple enabled a QR code reader within the stock iOS camera app, allowing users to scan codes and open webpages. Users now hope that Apple recognizes this as an issue and patches it immediately.
You can find the QR code setup by Infosec below. While scanning it with your iOS 11 camera app, it will display a message saying “Open “facebook.com” in Safari”, however, the code will open “https://infosec.rm-it.de/”. The company claims that embedding the URL in this format “https://xxx\@facebook.com:firstname.lastname@example.org/” will trick the system into opening a completely different link than the one mentioned to the users.
The Camera app on iOS 11 recognizes varied QR codes, including HomeKit setup codes, contacts, calendars, maps, messages, network settings, websites, callback URLs and so forth.
Have you tried iOS 11’s QR code scanning yet? Let us know in the comments.