A security firm has uncovered a potentially concerning bug with the iOS camera while scanning QR codes. This bug, spotted by Infosec, can basically redirect you to a malicious link although the link mentioned will be something else.
It is said that Infosec has already informed Apple about this bug in December last year, but hasn’t received a response (or a patch) as of yet.
The security firm illustrated the bug by creating its own link and QR code, mentioning that they will be redirected to Facebook, but instead opening Infosec’s website. This is just an example of how malware can be masked under other URLs to penetrate your device.
Apple has been relatively quiet on the matter, which is a bit of a surprise since this is an incredibly worrying bug for the users. Starting with iOS 11, Apple enabled a QR code reader within the stock iOS camera app, allowing users to scan codes and open webpages. Users now hope that Apple recognizes this as an issue and patches it immediately.
You can find the QR code setup by Infosec below. While scanning it with your iOS 11.2.1 camera app, it will display a message saying “Open “facebook.com” in Safari”, however, the code will open “https://infosec.rm-it.de/”. The company claims that embedding the URL in this format “https://xxx\@facebook.com:[email protected]/” will trick the system into opening a completely different link than the one mentioned to the users.