QR Code Bug in Apple iOS 11 Could Lead You to Malicious Sites
For the demo, the researcher created a QR code (shown above) with the following URL:
If you scan it with the iOS camera app, it will show following notification:
When you tap it to open the site, it will instead open:
I have tested the vulnerability, as shown in the screenshot above, on my iPhone X running iOS 11.2.6 and it worked.
QR (Quick Response) code is a quick and convenient way to share information, but the issue becomes particularly more dangerous when users rely on QR codes for making quick payments or opening banking websites, where they might end up giving their login credentials away to phishing websites.
The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.
https://xxx\@facebook.com:443@infosec.rm-it.de/
If you scan it with the iOS camera app, it will show following notification:
Open "facebook.com" in Safari
When you tap it to open the site, it will instead open:
https://infosec.rm-it.de/
I have tested the vulnerability, as shown in the screenshot above, on my iPhone X running iOS 11.2.6 and it worked.
QR (Quick Response) code is a quick and convenient way to share information, but the issue becomes particularly more dangerous when users rely on QR codes for making quick payments or opening banking websites, where they might end up giving their login credentials away to phishing websites.
The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.
Comments