QR Code Bug in iOS 11 Can Bring You to Malicious Websites

Mar 29, 2018360TS

A new vulnerability was discovered in the Camera App of iOS. It can be exploited to lure users into visiting a malicious website without their knowledge. This flaw affects Apple’s latest iOS 11 system on iPhone, iPad and iPod touch devices.

The Built-in Camera Can Mislead You

In iOS 11 Apple brought a new feature that automatically recognizes QR codes via built-in Camera app so users no longer need a 3rd party QR code reader.

When reading a QR code, iOS users need to open the built-in Camera app and aim it at the QR code. If any URL is found in the code, the app will prompt a notification, asking users if they want to visit the URL with the browser.

However, this flaw allows the attackers to forge the displayed name of the website on the notification, redirecting users to malicious website.

According to Roman Mueller, the researcher who discovered the bug, if the QR code reader in the Camera app fails to detect the domain name of the URL, the displayed name of notification can be manipulated to trick users.

No Official Update to The Date

The researcher had reported this issue to Apple but Apple hasn’t addressed this bug. Before there is any official solution available, 360 Security Center suggests that users should always scan QR codes from trusted sources.

QR code is a very convenient way to share information, such as payment or website URLs. However, we should always be aware that the convenience can bring security risk when it’s being abused.