How a QR code can fool iOS 11's Camera app into opening evil.com rather than nice.co.uk

A security researcher based in Germany has identified a flaw in the way Apple's iOS 11 handles QR codes in its Camera app.

Last year, with the launch of iOS 11, Apple gave its Camera app the ability to automatically recognize QR codes.

Over the weekend, Roman Mueller found that this feature has a bug that can be used to direct people to unexpected websites.

The first step involves creating a QR code from a URL, such as this one:

https://xxx\@facebook.com:443@infosec.rm-it.de/

If you then open the Camera app under iOS 11.2.6 (the most recent release) and point the device's camera at the QR code made from that URL, it will immediately recognize the presence of a QR code, parse the embedded URL, and ask whether you want to open "facebook.com" in Safari.

The problem is that the the app will open a different website – "infosec.rm-it.de" – in Apple's Safari browser. Hence, the potential for misuse.

Imagine someone popping codes on posters on public transit, banks, shops, cafes, and so on, that pretend to lead to a legit website, but really go to password-collecting fake sites, or malicious pages that attempt to download and run malware.

"The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does," said Mueller in his post. "...This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari."

Technically, the example URL is problematic because the backslash character while valid is considered "unwise," according to past RFCs. The recommendation is that it should be escaped or percent-encoded, which is to say represented using the characters "%5C" in place of "\".

But El Reg created a QR code from a percent-encoded URL and got the same results.

The issue lies elsewhere, in the way Apple's software handles the initial "@" character. It's not clear exactly where this bug lies – because the relevant Apple code isn't open source – but the notification display mechanism and Safari handle the URL string in a different way.

The notification system picks up the first domain in the string, "facebook.com," while Safari detects the second.

The problem goes away if you drop the leading "@" character from the URL and create the QR code from this revised URL:

https://xxx\facebook.com:443@infosec.rm-it.de/

According to Mueller, this issue was reported to the Apple security team on December 23, 2017 and as of Monday remained unfixed.

The security risks posed by QR codes have been known for years. But the problem with the way Apple's Camera app handles QR codes offers a reminder that opening a website when the URL is not evident isn't a great idea.

Apple did not immediately respond to a request for comment. The release of iOS 11.3 is expected shortly, possibly on Tuesday, March 27 in conjunction with Apple's scheduled educational announcement. ®