A vulnerability in the QR code reader built into the iOS 11 camera app could allow users to be directed to a malicious website without their knowledge.
The stock Camera app on iOS 11 was recently updated to automatically detect QR codes and show link previews in case the QR code contains a URL. However, reports have surfaced online that suggest this feature has an apparent bug that can allow people to change the actual URL that is redirected on clicking the link shown in the notification preview.
A new report from Infosec explains that due to a flaw in the feature, hackers can fool the QR code reader where it prompts users to open a website but instead redirects users to a different website instead.
This can be particularly dangerous especially when it comes to mobile banking, for example, where one might enter his or her credentials into the fake website, thus exposing their login details to the hacker who might be able to use it to steal one’s information or money.
The new bug that involves creating an unsuspecting hostname such as facebook.com or google.com in the notification preview, while adding a different URL for when it redirects in Safari. For instance, the report uses facebook.com as the front and the actual URL is https://xxx\@facebook.com:firstname.lastname@example.org/.
Scanning the custom QR code will display facebook.com in the notification but clicking on it will open a website not linked with the social media giant. This is said to be because “The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.”
According to the report, the bug was reported to Apple in December of last year and has not yet been fixed.