According to a new report on MacRumors today, a newly discovered vulnerability in iOS 11 was reported by Infosec over the weekend. The security flaw is said to affect the QR code scanner that is a new software feature introduced in iOS 11 for iPhone and iPad.
The vulnerability that has just been discovered means that QR codes associated with website links can fool users by displaying an “unsuspicious” link in the notification that appears when you scan a code with the camera, even though the link could actually be one that leads to a malicious site. Infosec demonstrated how this works by creating a QR code with a notification that said “Open ‘facebook.com,’ but in fact took the user to Infosec’s own website.
“The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does,” explained Infosec. “…This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.”
Infosec says that it actually reported the issue to Apple’s security team back on December 23, 2017, but it doesn’t appear that Apple has taken any steps to fix the vulnerability as yet.
Source: iOS 11 QR Code Vulnerability in Camera App Could Lead Users to Malicious Websites