APPS
APPS
APPS
iOS QR code vulnerability allows users to be directed to malicious websites
A newly discovered vulnerability in the QR code scanning feature in the iPhone Camera app in Apple Inc.’s iOS 11 software could result in users being taken to malicious websites.
The vulnerability, found by Infosec, relates to a parsing error that allows an attacker to show iPhone users a different web address to the site to which the user is actually taken.
As of iOS 11, the camera app automatically scans QR codes and then prompts users, via a popup, with a question asking them if they want to visit the URL detailed in the QR code. In this case, a bad actor can manipulate the display to show a legitimate website address while actually taking the user to a malicious website instead.
In an example given by Infosec, it created a QR code that displays a notification to “Open ‘facebook.com’ in Safari” but the URL embedded in the QR code is “https://xxx@facebook.com:443@infosec.rm-it.de/.” In other words, iOS showing the URL as facebook.com but the user is taken to “https://infosec.rm-it.de/” instead.
Infosec said it reported the vulnerability to Apple Dec. 23, but as of March 26 it remains unaddressed, hence its decision to publish the details.
The parsing issue may not be restricted to iOS. iDownloadblog reported that third-party QR code readers are also susceptible to this issue. Some apps put users at great risk by automatically opening a link upon scanning a QR code. Others may simply crash when presented with a malformed URL in the QR code.
The QR code vulnerability is not the first issue discovered in iOS 11 since it was released in September. A bug discovered in February triggered by typing in a single text character was found to crash iPhones and disable access to apps and iMessage. That issue was fixed in iOS 11.3.
Image: Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
