A newly discovered vulnerability in the QR code scanning feature in the iPhone Camera app in Apple Inc.’s iOS 11 software could result in users being taken to malicious websites.

The vulnerability, found by Infosec, relates to a parsing error that allows an attacker to show iPhone users a different web address to the site to which the user is actually taken.

As of iOS 11, the camera app automatically scans QR codes and then prompts users, via a popup, with a question asking them if they want to visit the URL detailed in the QR code. In this case, a bad actor can manipulate the display to show a legitimate website address while actually taking the user to a malicious website instead.

In an example given by Infosec, it created a QR code that displays a notification to “Open ‘facebook.com’ in Safari” but the URL embedded in the QR code is “https://xxx@facebook.com:443@infosec.rm-it.de/.” In other words, iOS showing the URL as facebook.com but the user is taken to “https://infosec.rm-it.de/” instead.

Infosec said it reported the vulnerability to Apple Dec. 23, but as of March 26 it remains unaddressed, hence its decision to publish the details.

The parsing issue may not be restricted to iOS. iDownloadblog reported that third-party QR code readers are also susceptible to this issue. Some apps put users at great risk by automatically opening a link upon scanning a QR code. Others may simply crash when presented with a malformed URL in the QR code.

The QR code vulnerability is not the first issue discovered in iOS 11 since it was released in September. A bug discovered in February triggered by typing in a single text character was found to crash iPhones and disable access to apps and iMessage. That issue was fixed in iOS 11.3.

Image: Pixabay