A QR code vulnerability was discovered in the camera app of the first version of Apple iOS 11. How could an attacker…
exploit this vulnerability? What precautions should users take?
An attacker could exploit the QR code vulnerability in the reading function of the camera app included with the first version of Apple iOS 11 by manipulating the URL that is displayed in the QR code scanning notification on the victim’s device. When the victim taps on the notification, they can be redirected to a malicious website and prompted to share sensitive information.
This type attack may be successful if the URL parser of the QR code reader fails to detect the host name the victim enters into the search bar when creating a QR code.
German security expert Roman Mueller discovered the iOS camera app was misreading certain URL formats and selecting the wrong part of a URL as the main domain, such as https://[email protected]:[email protected]/. When Mueller scanned the QR code, he received a notification asking him to tap facebook.com to visit the website in Safari. After tapping the notification, he was redirected to https://infosec.rm-it.de. The camera app then failed to detect facebook.com as the host name and he visited a different URL than was displayed in the notification.
The URL parser detected xxx as the username to be sent to facebook.com:443, while Safari detected [email protected] as the username and 443 as the password and sent it to infosec.rm-it.de — the browser didn’t recognize port 443 for HTTPS. After this realization, Mueller reported the flaw to Apple in December 2017 and it was fixed in iOS 11.3.1.
If users are scanning QR codes with iOS 11.2.1, they should take several precautions to avoid this QR code vulnerability. These precautions include checking the URL when they are redirected to another website, clearing out cookies or any history of connecting to the website, and not entering sensitive information into a suspicious website.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)