The flaw could be exploited by hackers to redirect iPhone users to insecure web pages
The flaw exploits the QR reader in the iOS 11 camera, which automatically reads the code without needing a third-party app.
Sounds pretty useful, right?
But last week, researcher Roman Mueller found a bug in the app which could direct users to a malicious website without their knowledge.
Mueller created a QR code using the following URL: https://xxx\@facebook.com:443@infosec.rm-it.de.
The reader picked up the first part of the web address and prompted the user to open Facebook.com in their browser.
However, it actually sent them to the second part of the link – infosec.rm-it.de.
Mueller notes that an attacker could exploit this flaw to redirect users to an insecure web page under the guise of a trusted URL.
His blog post read: “The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.”
He added: “...This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.”
This vulnerability is present in iOS 11.2.6 – the latest version – which Muller claims he reported to Apple on December 23, 2017.
It isn’t clear exactly what the flaw is, as Apple’s code is not open-source, but it appears to be an issue with the @ symbol in front of the first URL.
If the @ is dropped – for example https://xxx\facebook.com:443@infosec.rm-it.de – the flaw isn’t present.So far, Apple hasn’t released an update or patch for the bug, but ZDNet has claimed that iOS 11.3 could arrive early next week.
