If reports are believed to be accurate, then experts just discovered a vulnerability in Apple iOS’s camera application. The bug is specific to handling QR codes that result in users clicking on malicious links. According to a report published by 9 to 5 Mac, the flaw in the camera app’s automatic QR code scanning function.
A researcher at 9 to 5 Mac who goes by the name of Roman Mueller stated that the issue could lead to users clicking on links that may kickstart the download of malicious content. Mueller went on to provide an example regarding the same by getting his iPhone-scanned QR code to display a link to Facebook via the official Safari website.
This move is what the researcher stated:
If you scan [the QR code below] with the iOS (11.2.1) camera app, it will show this notification:
Open “facebook.com” in Safari
But if you tap it to open the site, it will instead open https://infosec.rm-it.de/
Mueller tweeted a gif of what this looks like in practice:
To achieve this result, all that’s needed is to have the QR code embed a link in this format:
Mueller offered this explanation for why the trick works:
The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.
It probably detects “xxx\” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.
In other words, any of the users who scan the code could easily be led to a malicious website on their respective devices. It is easy for hackers to gain access to user’s information in this manner. Apple hasn’t provided any official comment on this matter as yet.