Dan Pražák Even though iOS 11 is a capable system in many ways, its stability and security are not so exemplary. While Apple is still working on a fix for the latest bug that allowed Siri to read hidden messages from the lock screen, another security flaw involving the native Camera app and its ability to scan malicious QR codes was revealed over the weekend.
It could be interest you
Server & Hosting Infosec came up with the finding that the Camera application, or rather its function for scanning QR codes, is under certain circumstances unable to recognize the actual website to which the user will be redirected. Thus, an attacker can relatively easily get the user to a certain website, while the application informs about the redirection to completely different, safe pages.
Thus, while users will see that they will be redirected to facebook.com, for example, in reality, after clicking on the prompt, the website https://jablickar.cz/ will be loaded. Hiding the real address in a QR code and fooling the reader in iOS 11 is not difficult for an attacker. Just add a few characters to the address when creating the QR code. The original mentioned url looks like this after adding the necessary characters: https://xxx\@facebook.com:443@jablickar.cz/.
Gallery
Although it may seem like the bug was discovered only recently and Apple will fix it soon, this is not the case. In fact, Infosec stated in its post that it was brought to Apple's security team's attention on December 23, 2017, and unfortunately it has not been fixed until today, i.e. after more than three months. So let's hope that at least in response to the media coverage of the bug, Apple will fix it in an upcoming system update.
