An iOS camera app bug could direct users to malicious websites without their knowledge.
A vulnerability in the iPhone QR code reader could potentially place users at a security risk. The camera app has a bug that could potentially send smartphone users to harmful sites.
The recently discovered flaw is located in the camera app’s automatic QR code reading function.
The flaw could make the iPhone QR code scanner display a link but send users somewhere else entirely. If users click the link displayed, they may or may not be directed to the indicated destination.
Roman Mueller of Infosec discovered the mobile security flaw in the quick response code reader. He demonstrated the problem by scanning a QR code with an iPhone. The phone then used the Safari browser to display a Facebook.com link. That said, when the link was clicked, the device directed to Mueller’s own site.
To further spread the word about the iPhone QR code scanning issue, Mueller tweeted a gif.
The gif It revealed each step of the mobile security issue he had described. He then went on to explain why the unsuspected redirect worked. The camera app’s URL parser has a bug in detecting the URL hostname in the same way Safari completes that process, said Mueller.
At the time this article was written, there had yet to be any reports of users suffering malware attacks from QR code scanning using iPhones. That said, it wouldn’t be difficult to imagine that they would be used for sending users to malicious or scam websites.
While malicious QR codes may not sound like much of a threat to the average smartphone user. However, it wouldn’t be difficult for someone to produce a physical QR code for people to scan and easily direct users to any site they want. That said, this bug in the iPhone scanner takes things a step further.
Mueller claims to have alerted Apple to the existence of the iPhone QR code bug on December 23, 2017. That said, as of the most recent iOS update on March 24, 2018, the bug had yet to be patched.