A Vulnerability in the iPhone QR Reader Comes to Light

Infosec reports a vulnerability in the iPhone QR reader that could redirect people to malicious websites. The QR reader is built into the iPhone camera and it came as part of iOS 11.

QR Vulnerability

When you open the camera app and point your iPhone at a QR code, it will execute the code. For example, a website address embedded as a QR code will automatically open in Safari.

ButĀ InfosecĀ found that it’s easy to trick the iPhone QR reader so that it displays one URL but opens a different one. In an example QR code, it asks you if you want to open facebook.com in Safari, but when you scan the code it takes you to Infosec’s website.

Example QR code that you can scan with the built-in iPhone QR reader.
Infosec’s example QR code. Try it for yourself by opening the iPhone camera app and pointing it at the code

It involves embedding a URL in a particular format:

https://www\@facebook.com:[email protected]/

Infosec says that it reported the vulnerability to Apple on December 23. Now after waiting the standard 90 days, the website says that Apple still hasn’t fixed the bug. Whether we’ll see a fix in iOS 11.3, or a later version is still unknown.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.