{"id":77059,"date":"2018-03-27T16:27:31","date_gmt":"2018-03-27T23:27:31","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=77059"},"modified":"2023-03-29T07:02:57","modified_gmt":"2023-03-29T14:02:57","slug":"ios-11s-camera-app-has-a-qr-code-vulnerability","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/ios-11s-camera-app-has-a-qr-code-vulnerability\/","title":{"rendered":"iOS 11’s Camera App Has a QR Code Vulnerability"},"content":{"rendered":"

This past weekend, a bug in iOS 11’s Camera App was reported<\/a> by Roman Mueller (@faker_<\/a>). The bug in question deals with how URL’s are parsed, how a website presented to a user may not be the website that loading in the Safari we browser.<\/p>\n

When Roman Mueller created a URL “https:\/\/xxx\\@facebook.com:443@infosec.rm-it.de\/,” stuck it inside a QR code and scanned it with the Camera App, iOS 11 asked him if he wanted to open “facebook.com” in Safari. When he tapped the notification, Safari opened “infosec.rm-it.de” instead.<\/p>\n

You can see this bug in action by scanning the following QR code with your Camera App:<\/p>\n

\"\"

QR Code created by Roman at infosec.rm-it.de<\/p><\/div>\n

Roman mentions:<\/p>\n

The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.
\nIt probably detects \u201cxxx\\\u201d as the username to be sent to \u201cfacebook.com:443\u201d.
\nWhile Safari might take the complete string \u201cxxx\\@facebook.com\u201d as a username and \u201c443\u201d as the password to be sent to infosec.rm-it.de.
\nThis leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.<\/p><\/blockquote>\n

A bug such as this could be exploited by presenting a seemingly harmless URL, but opening a webpage that exploits another bug. Imagine a QR code asking to open “intego.com,” but instead opens a webpage with a certain Telugu character<\/a> on it. That would have been very\u00a0problematic just a month ago. Of course, someone could also create a dummy website that looks just like the website you were expecting with the purpose of spreading malware<\/a>, misinformation or attempt to collect a service’s login name and password. Get creative, and if you can think of it, someone else can too.<\/p>\n

This bug was reported to Apple over 3 months ago and remains unpatched.<\/p>\n

\n

Having way too much fun with @faker_<\/a>'s iOS 11 QR code vulnerability. \ud83d\ude1c#Apple<\/a> #iOS<\/a> #iOS11<\/a> #QRcode<\/a> #vulnerability<\/a> pic.twitter.com\/sGDJq7bS0q<\/a><\/p>\n

— Josh Long (the JoshMeister) (@theJoshMeister) April 14, 2018<\/a><\/p><\/blockquote>\n