QR codes can fool iPhone users into visiting a malicious website

Be wary when scanning QR codes with iOS 11’s camera app

Boobytrapped QR code can trick iOS 11 into taking you to a malicious website

Boobytrapped QR code can trick iOS 11 into taking you to a malicious website

A security researcher has publicised a flaw in the latest version of iOS that could fool iPhone users into visiting a malicious website rather than a safe one.

With iOS 11 Apple introduced a new feature to its built-in camera app, giving users the ability to scan QR codes and access their content (such as URLs). Previously, it was necessary to install a third-party app to do this.

In other words, just pointing the camera app on your iOS device at the QR code below will invite you to visit www.welivesecurity.com.

QR codes

QR codes

All seems good, right?

But as security researcher Roman Mueller describes, it only took him “a few minutes” to find a way to construct a QR code that will show an unsuspicious-looking domain in the notification, but take an unwitting user to an entirely different URL in Safari.

To prove his point, Mueller generated a QR code containing the URL
https://xxx\@facebook.com:443@infosec.rm-it.de/

When scanned in iOS 11, a notification tells users that they are about to visit facebook.com, but in reality they are taken to Mueller’s website at https://infosec.rm-it.de/

QR codes

That proof of concept is harmless enough – but it’s easy to see how anybody could create a QR code that pretended to be one thing, but actually took an unsuspecting user to a phishing site, or a webpage containing a malicious exploit.

Mueller reported the vulnerability to Apple on December 23, 2017, and – at the time of writing – it has still not been fixed. Mueller, believing that he had given Apple long enough to resolve the issue, has now gone public with his discovery – and presumably hopes that the resulting headlines will stir Apple into releasing a fix sooner rather than later.

In my opinion this isn’t the most serious vulnerability ever discovered. After all, how often does the typical consumer scan a QR code? I would argue not that often – which seriously limits the impact that anyone exploiting this flaw might have.

But all the same, Apple’s code shouldn’t behave in this way and a flaw that is so easily reproduced by anybody with access to a QR code generator should be patched promptly – if only to underline that Apple is serious about the quality of its software.

Lets hope a new version of iOS, incorporating a fix for this issue as well as other security bugs, will be released soon.

Discussion