iOS 11 bug lets QR codes trick you into visiting malicious websites

By

QR codes
Beware sketchy QR codes if you’re using iOS 11.
Photo: Thomas Leuthard/Flickr

Security researchers have discovered yet another bug in iOS 11 that leaves users vulnerable to malicious attacks.

The flaw in the built-in QR code reader can be exploited to trick people into visiting malicious websites that are initially disguised as innocent.

If you’re running iOS 11 — which the vast majority of iPhone and iPad users have now upgraded to — then you can point your camera at QR codes to read them. Apple’s built-in Camera app now automatically recognizes the code before asking if you want to open it.

iOS 11’s QR code bug

It’s a handy tool that negates the need for a third-party QR code reader, but it needs work. Researchers at InfoSec have discovered a flaw in the way in which the reader parses URLs that could be exploited to lead users to malicious websites.

By embedding URLs in a certain format, an attacker can trick iOS into showing users one website, but then leading them to another. For example, the QR code below will cause iOS to ask you if you want to visit Facebook, but when you open it, it will take you to the InfoSec website instead.

iOS 11 QR code bug
Scan this code in iOS 11 to see the flaw for yourself.
Photo: InfoSec

It’s easy to imagine how attackers might take advantage of this.

A QR code could be embedded in a phishing email that promises special offers or freebies when the code is scanned. Users might then be led to a malicious website that’s designed to look genuine, where they are tricked into handing over sensitive information.

How iOS is fooled

To exploit the flaw, attackers simply need to embed a URL in the code using a format such as “https://xxx\@facebook.com:443@infosec.rm-it.de/.”

In this instance, iOS sees the website as “facebook.com” — and that’s all it shows the user. But when the URL is loaded in Safari, it actually leads to “infosec.rm-it.de.”

InfoSec says that it reported the bug to Apple back in December, but the company is yet to provide a fix. Until the problem has been rectified, we recommend that you double-check URLs in Safari’s address bar to confirm they are genuine after scanning a QR code.