iOS QR Code Vulnerability Can Redirect Users to Malicious Sites
Credit: Roman MuellerToggle Dark Mode
A recently discovered vulnerability with the QR code reading functionality in iOS could allow third-parties to secretly send users to malicious websites.
Built-in QR code reading in the Camera app was first introduced in iOS 11. Basically, you point the iPhone camera at a QR code and the native camera application will read the code. If it leads to a web URL, iOS will then ask if you’d like to open the corresponding website. Unfortunately, there’s a security risk with the way it works.
The vulnerability was first spotted by German security researcher Roman Mueller, who published a post on March 24 detailing the exploit on his private blog.
Mueller wrote that it’s actually incredibly easy to have the QR code display one URL while actually sending the user to a completely different website.
Mueller demonstrated the exploit with a proof-of-concept QR code that he came up with.
Basically, if you scan his QR code, the iOS notification will ask if you’d like to “Open ‘facebook.com’ in Safari.” If you tap on that notification, you’ll actually be redirected to Mueller’s own blog — without any prior indication of the trickery.
Mueller writes that the problem likely lies with the Camera app’s URL parser. Specifically, it seems like a problem with the way it detects the hostname in a particular URL, Mueller writes. All it would take for an attacker to utilize this exploit is typing up a URL in a certain format.
Additionally, the researcher added that there’s “no redirect misuse being done on facebook.com.” In other words, an attacker could display any website they’d like while redirecting the user to the compromised or malicious site of their choice.
The implications are worrying, even if iOS devices aren’t inherently prone to viruses. Malicious entities could, technically, spread fraudulent QR codes that send users to sketchy websites without their knowledge.
The exploit was apparently reported to Apple’s security team on Dec. 23, 2017. As of the writing of this article, the issue has yet to be patched in the latest versions of iOS.
