When you open the camera app and point your iPhone at a QR code, it will execute the code. For example, a website address embedded as a QR code will automatically open in Safari.
But Infosec found that it’s easy to trick the iPhone QR reader so that it displays one URL but opens a different one. In an example QR code, it asks you if you want to open facebook.com in Safari, but when you scan the code it takes you to Infosec’s website.
It involves embedding a URL in a particular format:
Infosec says that it reported the vulnerability to Apple on December 23. Now after waiting the standard 90 days, the website says that Apple still hasn’t fixed the bug. Whether we’ll see a fix in iOS 11.3, or a later version is still unknown.