A bug in the QR code reading function of "iOS 11" standard camera application, it is possible to set the URL displayed and the linked website different from each other

byXavier Wendling

On iOS 11, you can now read the QR code with the standard camera application, but vulnerability has been found in the QR code reading function, and the user is redirected to a website different from the displayed link destination It is reported that there is a possibility of doing it.

iOS camera QR code URL parser bug | infosec.rm-it.de
https://infosec.rm-it.de/2018/03/24/ios-camera-qr-code-url-parser-bug/

QR Code Bug in Apple iOS 11 Could Lead You to Malicious Sites
https://thehackernews.com/2018/03/ios-qr-code-camera.html

The latest OS for iPhone / iPad / iPod touch that appeared in September 2017iOS 11"QR code can be read with standard camera. Prior to that you had to install a third party QR code reader application and so on. If you copy the QR code with a standard camera, if the URL is included in the QR code, a notice will be displayed at the top of the screen notifying the website of the link destination, and when you tap it, you can access it with Safari.


However, security researcher Roman Mueller has discovered that it is possible to skip to a URL different from the URL displayed in the notification area. According to Mr. Muller, the URL parser of the QR code reader function built in the iOS standard camera application can not detect the host name of the URL. If you use this point by a malicious person, it is possible to make the URL displayed in the notification different from the URL actually opened in Safari.

The following image is a GIF image for proof of concept created by Mr. Muller. When reading the QR code, "facebook.com" is displayed in the notification, but if you actually access it, it will be skipped to a site different from Facebook. Although we are redirecting to a site with no malicious intent by demonstration, it is possible to exploit the vulnerability of this QR code so that hackers and others can guide users to malicious sites.


Those who have a terminal on which iOS 11 is installed can actually experience vulnerabilities by reading the following QR code. "Notice" Opening "facebook.com" in Safari "is displayed, but the access destination is Mr. Muller'sweb pageis.


なお、上記のQRコードは以下のURLで作成したものだそうです。以下のURLから作成したQRコードを読み取ると、通知上には「"facebook.com"をSafariで開く」と表示されるものの、タップするとミュラー氏の用意したウェブページ(https://infosec.rm-it.de/)が開く模様。

https: // xxx \ @ facebook.com: [email protected]/

Actually, when I read the QR code with the camera application similarly on iPhone X with iOS version "11.2.6" in the editorial department of GIGAZINE, "Notice" "facebook.com" opened in Safari " Although it is done, it was confirmed that it is skipped to a different website from the URL.


Mr. Müller reported to vulnerability on QR code reading in December 2017 to Apple, but bugs have not been fixed even at the time of article creation.