The iOS camera app has an inbuilt QR code scanning feature which automatically detects a QR code, scans it and redirects users to the web address embedded in it. However, a newly discovered vulnerability in the camera app’s URL parser can be misused to redirect users to a malicious website.
The vulnerability was spotted by Infosec, whose report revealed that hackers can exploit a vulnerability in the camera app by creating a fake hostname for displaying in the notification box. Once unsuspecting users give permission to open the web page, they are redirected to the target website embedded in the QR code.
The iOS camera app’s QR code functionality works in two steps. First, it detects a QR code and automatically scans it, and once the code is scanned, a notification pops up which asks users to grant permission for opening the configured URL. Upon giving the permission, users are redirected to the web address. But the first step is where malicious parties can take advantage of the bug.
As per Infosec’s findings, hackers can create a fake hostname such as ‘Google.com’ or ‘Facebook.com’ that will appear in the notification box to avoid suspicion on scanning a QR code. Once users grant the permission, they are taken to the malicious website embedded in the QR code.
As per Infosec, the iOS camera app’s URL parser has a problem in detecting the host names in a URL, which leaves the doors open for hackers to exploit the vulnerability. Take for example the following URL:
The camera app identifies Facebook as the hostname in the above URL and shows the same in the notification pop-up, but instead opens another web address.
The vulnerability was brought to the Apple Security Team’s attention in December last year, but has so far not been fixed. Users who are concerned about the camera app redirecting them to a malicious web address can disable the functionality by heading to the Settings > Camera > Scan QR Codes.