Scammers and malware authors can abuse the QR code reading function added the default camera app of iOS 11, and they can use this bug to redirect users to malicious URLs.
The bug, discovered by German security expert Roman Mueller, affects how the camera app shows the URL embedded in a QR code in notifications to open the link in Safari, iOS' default browser.
Mueller discovered that the iOS camera app misreads certain URL formats, and selects the wrong part of a URL as the main domain.
This allows miscreants to create complex URLs that appear as one domain in the camera app's notification, but lead to a totally different URL when the user opens the link in Safari.
For example, Mueller says that the iOS 11 camera app will read the following URL as a "facebook.com" link instead of a link leading to the real domain of "rm-it.de".
After a user scans a malicious QR code generated from this domain, the camera app will show a 'Open "facebook.com" in Safari" notification, leading the user to believe the URL is safe to access.
Mueller recorded a video of the bug in action, which he shared on Twitter (embedded below):
Apple iOS camera app doesn't properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed: https://t.co/EMQk7uBQ9i pic.twitter.com/KE6EwYhj7s— @faker_ Roman (@faker_) March 24, 2018
The bug has some practicality. For example, a hacker can replace QR codes on legitimate sites, where they are often used to automate donations and use it to redirect funds to his own accounts.
Mueller says he discovered the bug on December 23, last year, and notified Apple of his findings.
"Someone showed me [the QR code reading] feature on that day. I didn't know about it before that, so I just started to play with it a little," the researcher told Bleeping Computer today in a private conversation.
"I haven't done any research so far on QR codes. I'm mainly working on Web applications," Mueller added. "I knew that URL parsing is always very hard to implement correctly and it was basically the first flaw I tried."
"After around half an hour I discovered the bug," Mueller told us.
The earliest version the researcher verified the bug was iOS 11.2.0, but the camera app on older versions could also be vulnerable. The bug is unfixed in iOS 11.2.6, the current version of Apple's iOS mobile operating system.
A formal request for comment has been sent to Apple, but the company has a history of not responding to security-related issues, but instead just pushing silent patches on its Security Updates page.
UPDATE [April 24, 2018]: This bug —CVE-2018-4187— has been fixed in iOS 11.3.1.