iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

Discussion in 'iOS Blog Discussion' started by MacRumors, Mar 26, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A new vulnerability within iOS 11 was uncovered over the weekend, this time centering upon the QR code scanner in the iPhone camera app. With the new scanning feature in iOS 11, users can open the Camera app on iPhone or iPad, point the device at a QR code, and tap a notification to access whatever the code contains.

    In a new report by Infosec, the researchers discovered that QR codes related to website links can potentially trick users by displaying an "unsuspicious" website link in the notification, while actually leading them to a completely different site. Infosec showed this off by creating a QR code that generates a notification to "Open 'facebook.com' in Safari", but then leads to its own website.

    [​IMG]

    Infosec explained that the Camera app isn't properly parsing URLs in QR codes, and appears to be tricked by simply editing URLs with a few extra characters:
    iOS 11 has faced a number of bugs and issues since its launch last September, including one that was fixed in December that allowed unauthorized access to HomeKit devices.

    For the QR code issue, Infosec said that it reported the problem to the Apple security team on December 23, 2017, and as of March 24, 2018 it has not yet been fixed.

    Article Link: iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites
     
  2. Heineken macrumors 6502a

    Heineken

    Joined:
    Jan 27, 2018
  3. Aluminum213 macrumors 68040

    Aluminum213

    Joined:
    Mar 16, 2012
  4. TMRJIJ macrumors 68030

    TMRJIJ

    Joined:
    Dec 12, 2011
    Location:
    South Carolina, United States
    #4
    My god... It’s like we’re at war against vulnerabilities. I swear by 2020, I’ll probably disconnect from the online world completely.
     
  5. AMTYVLE macrumors 6502

    AMTYVLE

    Joined:
    Sep 23, 2014
    Location:
    Florida
  6. chrono1081 macrumors 604

    chrono1081

    Joined:
    Jan 26, 2008
    Location:
    Isla Nublar
    #6

    This has always been the case and is completely normal. They're just more heavily publicized these days.
     
  7. shareef777 Suspended

    shareef777

    Joined:
    Jul 26, 2005
    Location:
    Chicago, IL
    #7
    Mentioning Spectre/Meltdown is disingenuous and poor writing. Those vulnerabilities have absolutely nothing attributed to Apple. Those are CPU related and every machine with an x86/arm cpu is susceptible to them.
     
  8. scrapesleon macrumors 6502a

    scrapesleon

    Joined:
    Mar 30, 2017
    Location:
    Jamaica
  9. GaryMumford macrumors regular

    GaryMumford

    Joined:
    Jul 25, 2008
    Location:
    UK
    #9
    My gripe with this MR article is, Why do they have to specifically mention Meltdown and Spectre? This was not a 'specific' iOS11 bug! This affected almost every device running any platform from any manufacturer and is unrelated to specific iOS bugs (of which there are many!!)
     
  10. pete2106 Suspended

    pete2106

    Joined:
    Dec 7, 2012
    #10
    It wouldn't be Monday without a new iOS11 vulnerability but hey, at least we have a new range of watch straps and TV shows to look forward to.
     
  11. JosephAW macrumors 68020

    JosephAW

    Joined:
    May 14, 2012
    #11
    "QR Reader" has a feature where it shows you the URL before confirming you want to navigate to it.
     
  12. eagle33199 macrumors member

    Joined:
    Mar 13, 2007
    #12
    When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.
     
  13. GrumpyMom macrumors 604

    GrumpyMom

    Joined:
    Sep 11, 2014
    #13
    I saw your post and thought about it for a moment and concluded:
    470932B6-DC20-4B8F-92AD-0F541189FB6F.jpeg
     
  14. Dave-Z macrumors 6502a

    Joined:
    Jun 26, 2012
    #14
    That's what the bug is. The URL shown is not the actual URL visited. I'm guessing a poorly formed regular expression when extracting the URL for displaying to the user.

    This crap is typical Apple stupidity these days.
     
  15. miniyou64 macrumors 6502

    miniyou64

    Joined:
    Jul 8, 2008
    #15
    I think the article is explaining that the confirmation popup can be tricked before it goes to the site. That’s the whole issue
     
  16. Dave-Z macrumors 6502a

    Joined:
    Jun 26, 2012
    #16
    o_O

    As others have said, MacRumors needs to fix the wording of this article. iOS 11 has nothing to do with the hardware-based vulnerabilities.
     
  17. earthTOmitchel Contributing Editor

    earthTOmitchel

    Staff Member

    Joined:
    Mar 6, 2015
    Location:
    Louisiana
    #17
    Hey guys you're right, went ahead and deleted this section.
     
  18. CylonGlitch macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #18
    ONE code a year? Dude, that's way too many... I'm at about 1 or 2 a decade....
     
  19. itsmilo macrumors 68020

    itsmilo

    Joined:
    Sep 15, 2016
    Location:
    Europe
    #19
    Only as an entry ticket like a Boarding pass or a theater ticket. Never a random code slapped on some product. As useless as AR
     
  20. simonmet macrumors 68000

    simonmet

    Joined:
    Sep 9, 2012
    Location:
    Sydney
    #20
    Tried it once. Nothing but stupid advertising or a link they probably could’ve printed in less space than the code.

    Probably seen it on some tickets like plane or concert tickets but never gave it a moment’s thought because it wasn’t really there for the end user.
     
  21. selfsilent macrumors regular

    Joined:
    Apr 9, 2014
    #21
    I'm not convinced that this is a vulnerability. You have been able to get QR code readers on iOS for years, same on Android. They just forward you to whatever the link says.
    I've pulled this prank before, create a QR code that forwards to a disgraceful image, print a few stickers and leave them for people to find.
    The problem isn't the software or hardware, it's the user. Learn to not fall for these dodgy links, phasing and scams and you'll be a better person.
     
  22. BobVB macrumors 6502a

    BobVB

    Joined:
    Apr 12, 2002
    #22
    my guess is this was added for China where QR Codes are used extensively.
     
  23. szw-mapple fan macrumors 65816

    szw-mapple fan

    Joined:
    Jul 28, 2012
    #23
    QR code usage/adoption differs by country. In China for example, it’s very wide spread for mobile payments and such.
     
  24. Regime2008 Suspended

    Regime2008

    Joined:
    Oct 3, 2017
    Location:
    Basshead in ATL
    #24
    Can we all agree that iOS11 is a beta product? I never hear other OS's have a mere fraction of all the bugs I have seen in this release.
     
  25. ignatius345 macrumors 68000

    Joined:
    Aug 20, 2015
    #25
    I used one 3 days ago when a cable provider authentication thing came up on my Apple TV. Made the process quite painless.

    But yeah, generally they never quite lived up to the hype.
     

Share This Page