Last week it was reported that there were a bunch of malware-infected QR reader apps on Play Store which was downloaded half a million time. Now, Infosec’s security researcher Roman Mueller has identified a flaw in the way iOS camera application manages QR codes; the flaw leads to redirecting users to malicious destinations.
The vulnerability is present in the app’s automatic QR code scanning function. It results in displaying a URL that can lead the unsuspecting user to unauthentic and even infected websites.
Mueller proved his findings with an example where the QR code scanned by the iPhone’s camera app displayed a link that redirected to Facebook.com through Safari browser but the user was redirected to Mueller’s own website (https://infosec.rm-it.de/). He also showed the notification displayed when the iOS 11.2.1 camera app scanned the QR code, which is as follows:
It must be noted that with iOS 11, Apple Inc. introduced the brand new feature of a built-in camera app. The app allowed users to scan QR codes and access links or other types of content. Through this new feature, users of iPhone were no longer required to install a third-party app for scanning of QR codes.
Mueller stated that it only took few minutes’ time to identify a way to construct a QR code that displays a harmless looking domain in the notification but actually leads the user to a completely different and somewhat unsecure destination in Safari browser. He further asserted that this is a grave vulnerability as it opens a plethora of opportunities for cybercrooks; they can lead users to phishing sites or link containing malicious exploit.
Apple was notified about the vulnerability by Mueller on December 23, 2017, but the company hasn’t yet fixed it. Considering the time elapsed since the date of notifying Apple, Mueller thought it was the right time to publicly disclose the flaw.
He is now hoping that the resulting unrest among security community would force Apple to release a fix soon. We also believe that this is a serious flaw simply because it is so easy to exploit. Anyone with access to a QR code generator can reproduce the flaw, which is why patch should be released promptly.