The vulnerability affects Apple’s latest iOS 11 mobile operating system for iPhone, iPad, and iPod touch devices and resides in the built-in QR code reader.
With iOS 11, Apple introduced a new feature that gives users ability to automatically read QR codes using their iPhone’s native camera app without requiring any third-party QR code reader app.
According to Mueller, the URL parser of built-in QR code reader for iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.
For the demo, the researcher created a QR code (shown above) with the following URL:
If you scan it with the iOS camera app, it will show following notification:
Open “facebook.com” in Safari
When you tap it to open the site, it will instead open:
I have tested the vulnerability, as shown in the screenshot above, on my iPhone X running iOS 11.2.6 and it worked.