This past weekend, a bug in iOS 11’s Camera App was reported by Roman Mueller (@faker_). The bug in question deals with how URL’s are parsed, how a website presented to a user may not be the website that loading in the Safari we browser.
When Roman Mueller created a URL “https://xxx\@facebook.com:[email protected]/,” stuck it inside a QR code and scanned it with the Camera App, iOS 11 asked him if he wanted to open “facebook.com” in Safari. When he tapped the notification, Safari opened “infosec.rm-it.de” instead.
You can see this bug in action by scanning the following QR code with your Camera App:
The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.
It probably detects “xxx\” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.
This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.
A bug such as this could be exploited by presenting a seemingly harmless URL, but opening a webpage that exploits another bug. Imagine a QR code asking to open “intego.com,” but instead opens a webpage with a certain Telugu character on it. That would have been very problematic just a month ago. Of course, someone could also create a dummy website that looks just like the website you were expecting with the purpose of spreading malware, misinformation or attempt to collect a service’s login name and password. Get creative, and if you can think of it, someone else can too.
This bug was reported to Apple over 3 months ago and remains unpatched.
— Josh Long (the JoshMeister) (@theJoshMeister) April 14, 2018
Personally, until I heard about this bug, I didn’t even know the Camera App could scan QR codes. I never deal with QR codes, and when I do see them, I’m rarely interested in going through the effort of finding an app that can scan them. This feature may be news to you as well, but if you were aware of this feature and have been using it, this may be a good time to explore some alternatives.
There are quite a few QR scanning apps out there, and I tested a few, which include:
- QR Reader for iPhone (vulnerable)
- Barcode reader for iPhone (vulnerable)
- QR Code Reader (not vulnerable or unable to load)
- Free QR Code Reader & Barcode Scanner for iPhone (not vulnerable or unable to load)
- QR Code Reader- Scanner Pro (not vulnerable, shows URL before opening browser)
- QR Code Reader & Creator (not vulnerable, shows URL before opening browser)
- QR Code: Barcode Scanner (not vulnerable, shows URL before opening browser)
- QR Code Reader – Barcode Maker (not vulnerable, shows URL before opening browser)
- QR Code Reader – QR Scanner (not vulnerable, shows URL before opening browser)
Out of the nine I tested, two failed, and there are many others available out there that I haven’t tested. If you are looking for a QR Code scanner, use one of the links above to go directly to the App Store, where you can download the app. If you prefer to search for another app or already use one, just test it against the QR code image above. If it opens “infosec.rm-it.de,” then it’s vulnerable and we recommend that you try another app.
It is not known when Apple will address this bug, but now that it’s in the spotlight, it will likely be soon. Update: This issue was addressed in iOS 11.3.