iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites

[coolfactor]

The string "\@" is basically saying "The @ is escaped, so ignore it". So yes, it interprets everything before the *second* @ as the username and password.

I'm amazed that people manage to find these bugs 🙂 , and I'm disgusted that Apple hasn't fixed it yet, after THREE months! This fix would literally take 5 minutes to implement 😡 !

 

[mrgraff]

I tried using QR codes to help teachers reserve computer labs ... nobody cared. I tried using QR codes to help with taking inventory ... nobody cared. I attended a conference workshop on QR codes ... even I got bored and finally learned my lesson.

 

[69Mustang]

When was the last time anyone actually used a QR code as a consumer? I remember thinking they were going to get huge 10 years ago... but I maybe read 1 code per year. They can be great for specific applications (manufacturing, shipping, etc), but those are controlled situations. Not just some random QR code you find on the side of a bus stop.

As with most new things from Apple these days, this has to do with China. Apples largest or 2nd largest market depending on the category. The Chinese use QR Codes, therefore they will be integrated into iOS.

 

[laz232]

The problem isn't the software or hardware, it's the user. Learn to not fall for these dodgy links, phasing and scams and you'll be a better person.

No - there are two issues here:
1. This class of vulnerability (QR codes) has been known about for years - it's worrying that Apple's code review let this slip through.
2. I use QR codes on my business cards - as do many others in my field, so there are many legitimate instances where this exploit can be a problem.

 

[Porco]

If you never use this feature anyway:
Settings> Camera> Scan QR Codes> off.

 

[crisss1205]

Is this really that much of an issue? How about they just turn off the preview all together? Is that better.

 

[Shanesan]

The issue isn't the bug, it's the time-to-patch-release which is inexcusable.

 

[charlituna]

I'm not convinced that this is a vulnerability.

agreed. It's not on Apple if the link has a redirect on the page that is loaded. the app sent you to the page embed in the QR code.

that said, it would be great (since so many iOS users seem to be gullible idiots) if iOS could detect that there is a redirect and pause the reload to let folks know what's happening and give them the option to continue or not. whether a QR code is involved or not

 

[Videomanmac]

Did 11.3 fix this?

 

[960design]

Only as an entry ticket like a Boarding pass or a theater ticket. Never a random code slapped on some product. As useless as AR

Hey now... my AR is pretty useful.