A vulnerability within the Camera app on iOS has been discovered. The app's built-in QR code reader could potentially redirect users to malicious websites without them knowing.
Infosec security researcher Roman Mueller is the first to bring this to light. He discovered that the Camera app's automatic QR code reader could result in displaying a link and then sending users somewhere else upon clicking it.
iOS Camera App QR Code Bug
Mueller even demonstrated the bug in action. He scanned a QR code that was supposed to open up Facebook via the Safari browser but instead went to his own website.
"Apple iOS camera app doesn't properly parse URLs in QR codes," Mueller tweeted on Mar. 24. "It shows a different host in the notification than it really opens."
He also explained in a blog post why this seems to be happening. He says that the URL parser of the iOS Camera app has difficulty in determining the hostname within a certain URL format in the same way as Safari does. As a result, when the QR code is scanned, the app prompts the user that they'll be taken to Facebook, but actually, they end up in the Infosec website instead.
It's easy to imagine how ill agents can exploit this vulnerability to redirect users to malicious websites. They might generate custom codes that pose as genuine links but then go to websites full of malware or scam sites. Mueller said he had notified Apple of this issue on Dec. 23, 2017, yet upon seeing that the bug still exists as of the latest iOS update, he decided to go public with his findings.
Apple has yet to formally address the vulnerability, but it likely won't say anything about the issue and instead release a patch that'll take care of it.
How To Avoid The QR Code Bug
In any case, iOS users should steer clear of scanning QR codes using the iPhone's built-in camera app in the meantime lest they want to risk being redirected to malicious websites. There are a lot of bad agents out there who will definitely milk this vulnerability while they'll still can. It also doesn't help that creating a QR code is extremely easy and quick. Practice caution with sites that open from QR codes, especially ones that require input of critical information, such as banking details, passwords, or important identification numbers. Hopefully, Apple comes out with a fix soon.