Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,488
39,318



A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains.

In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.

iphone-qr-code-bug.jpg

Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:
The URL embedded in the QR code is: https://xxx\@facebook.com:443@infosec.rm-it.de/

But if you tap it to open the site, it will instead open https://infosec.rm-it.de/

The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects "xxx\" as the username to be sent to "facebook.com:443". While Safari might take the complete string "xxx\@facebook.com" as a username and "443" as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.
Click to expand...
iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices.

Apple iOS camera app doesn't properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed: https://t.co/EMQk7uBQ9i pic.twitter.com/KE6EwYhj7s - @faker_ Roman (@faker_) March 24, 2018
Click to expand...
For the QR code issue, Infosec said that it reported the problem to the Apple security team on December 23, 2017, and as of March 24, 2018 it has not yet been fixed.

Article Link: iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites
 
Article Link
https://www.macrumors.com/2018/03/26/ios-11-qr-code-vulnerability/
My gripe with this MR article is, Why do they have to specifically mention Meltdown and Spectre? This was not a 'specific' iOS11 bug! This affected almost every device running any platform from any manufacturer and is unrelated to specific iOS bugs (of which there are many!!)
 
  • Like
Reactions: ILikeAllOS, TimSHB, t1meless1nf1n1t and 3 others
"QR Reader" has a feature where it shows you the URL before confirming you want to navigate to it.
 
When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.
 
  • Like
Reactions: ILikeAllOS and simonmet
JosephAW said:
"QR Reader" has a feature where it shows you the URL before confirming you want to navigate to it.
Click to expand...

That's what the bug is. The URL shown is not the actual URL visited. I'm guessing a poorly formed regular expression when extracting the URL for displaying to the user.

This crap is typical Apple stupidity these days.
 
  • Like
Reactions: JosephAW and miniyou64
JosephAW said:
"QR Reader" has a feature where it shows you the URL before confirming you want to navigate to it.
Click to expand...
I think the article is explaining that the confirmation popup can be tricked before it goes to the site. That’s the whole issue
 
  • Like
Reactions: JosephAW
MacRumors said:
iOS 11 has faced a number of bugs [...] Meltdown and Spectre were serious hardware-based vulnerabilities
Click to expand...

o_O

As others have said, MacRumors needs to fix the wording of this article. iOS 11 has nothing to do with the hardware-based vulnerabilities.
 
shareef777 said:
Mentioning Spectre/Meltdown is disingenuous and poor writing. Those vulnerabilities have absolutely nothing attributed to Apple. Those are CPU related and every machine with an x86/arm cpu is susceptible to them.
Click to expand...

GaryMumford said:
My gripe with this MR article is, Why do they have to specifically mention Meltdown and Spectre? This was not a 'specific' iOS11 bug! This affected almost every device running any platform from any manufacturer and is unrelated to specific iOS bugs (of which there are many!!)
Click to expand...
Hey guys you're right, went ahead and deleted this section.
 
  • Like
Reactions: TimSHB
eagle33199 said:
When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.
Click to expand...

ONE code a year? Dude, that's way too many... I'm at about 1 or 2 a decade....
 
  • Like
Reactions: simonmet
eagle33199 said:
When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.
Click to expand...

Only as an entry ticket like a Boarding pass or a theater ticket. Never a random code slapped on some product. As useless as AR
 
CylonGlitch said:
ONE code a year? Dude, that's way too many... I'm at about 1 or 2 a decade....
Click to expand...

Tried it once. Nothing but stupid advertising or a link they probably could’ve printed in less space than the code.

Probably seen it on some tickets like plane or concert tickets but never gave it a moment’s thought because it wasn’t really there for the end user.
 
I'm not convinced that this is a vulnerability. You have been able to get QR code readers on iOS for years, same on Android. They just forward you to whatever the link says.
I've pulled this prank before, create a QR code that forwards to a disgraceful image, print a few stickers and leave them for people to find.
The problem isn't the software or hardware, it's the user. Learn to not fall for these dodgy links, phasing and scams and you'll be a better person.
 
eagle33199 said:
When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.
Click to expand...
QR code usage/adoption differs by country. In China for example, it’s very wide spread for mobile payments and such.
 
eagle33199 said:
When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.
Click to expand...
I used one 3 days ago when a cable provider authentication thing came up on my Apple TV. Made the process quite painless.

But yeah, generally they never quite lived up to the hype.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back