A Bug Found in the iOS Camera’s QR Reader Can Redirect Users to Malicious Websites

How a vulnerability in the way iOS’ camera app can be misused to redirect users to a malicious website

As we know the iOS camera app has an inbuilt QR code scanning feature which automatically detects a QR code, scans it and redirects users to the web address embedded in it.

But, per 9to5Mac, security researcher Roman Mueller of Infosec recently discovered that a flaw in the camera app’s automatic QR code scanning function could result in it displaying a link and then sending users somewhere else if they click it. Mueller provided an example of the bug in question in which an iPhone-scanned QR code displays a link to Facebook.com via the Safari browser, but actually sends users to his own site.

In this way, hackers can exploit a vulnerability in the camera app by creating a fake hostname for displaying in the notification box. Once unsuspecting users give permission to open the web page, they are redirected to the target website embedded in the QR code.

The iOS camera app’s QR code functionality works in two steps. First, it detects a QR code and automatically scans it, and once the code is scanned, a notification pops up which asks users to grant permission for opening the configured URL. Upon giving the permission, users are redirected to the web address. But the first step is where malicious parties can take advantage of the bug.

As per Infosec’s findings, hackers can create a fake hostname such as ‘Google.com’ or ‘Facebook.com’ that will appear in the notification box to avoid suspicion on scanning a QR code. Once users grant the permission, they are taken to the malicious website embedded in the QR code.

As per Infosec, the iOS camera app’s URL parser has a problem in detecting the host names in a URL, which leaves the doors open for hackers to exploit the vulnerability. Take for example the following URL: https://xxx\@facebook.com:443@infosec.rm-it.de/

The camera app identifies Facebook as the hostname in the above URL and shows the same in the notification pop-up, but instead opens another web address.

The vulnerability was brought to the Apple Security Team’s attention in December last year, but has so far not been fixed. Users who are concerned about the camera app redirecting them to a malicious web address can disable the functionality by heading to the Settings > Camera > Scan QR Codes.

Sources: Beebom, Gizmodo, 9to5mac.