QR code bug in iOS 11

Scammers and malware authors can abuse the QR code reading function added the default camera app of iOS 11, and they can use this bug to redirect users to malicious URLs.

The bug, discovered by German security expert Roman Mueller, affects how the camera app shows the URL embedded in a QR code in notifications to open the link in Safari, iOS' default browser.

iOS camera app misreads a URL's domain

Mueller discovered that the iOS camera app misreads certain URL formats, and selects the wrong part of a URL as the main domain.

This allows miscreants to create complex URLs that appear as one domain in the camera app's notification, but lead to a totally different URL when the user opens the link in Safari.

For example, Mueller says that the iOS 11 camera app will read the following URL as a "facebook.com" link instead of a link leading to the real domain of "rm-it.de".


Potential for phishing and other social engineering tricks

After a user scans a malicious QR code generated from this domain, the camera app will show a 'Open "facebook.com" in Safari" notification, leading the user to believe the URL is safe to access.

Mueller recorded a video of the bug in action, which he shared on Twitter (embedded below):

The bug has some practicality. For example, a hacker can replace QR codes on legitimate sites, where they are often used to automate donations and use it to redirect funds to his own accounts.

Researcher discovered the bug in 30 minutes

Mueller says he discovered the bug on December 23, last year, and notified Apple of his findings.

"Someone showed me [the QR code reading] feature on that day. I didn't know about it before that, so I just started to play with it a little," the researcher told Bleeping Computer today in a private conversation.

"I haven't done any research so far on QR codes. I'm mainly working on Web applications," Mueller added. "I knew that URL parsing is always very hard to implement correctly and it was basically the first flaw I tried."

"After around half an hour I discovered the bug," Mueller told us.

The earliest version the researcher verified the bug was iOS 11.2.0, but the camera app on older versions could also be vulnerable. The bug is unfixed in iOS 11.2.6, the current version of Apple's iOS mobile operating system.

A formal request for comment has been sent to Apple, but the company has a history of not responding to security-related issues, but instead just pushing silent patches on its Security Updates page.

UPDATE [April 24, 2018]: This bug —CVE-2018-4187— has been fixed in iOS 11.3.1.

Related Articles:

Apple Releases Security Updates for iOS and iCloud, Fixes Passcode Bypass

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

iOS 12 Patches Memory Bugs, Safari 12 Fixes Data Leaks

New CSS Attack Restarts an iPhone or Freezes a Mac

Apple Launches iPhone XR, iPhone XS, iPhone XS Max and Watch Series 4