I’ve learned recently that the iOS 11 camera app will now automatically scan QR codes and interpret them.
This is pretty cool, until now you needed special apps to do that for you on iOS.
When scanning a QR code which contains a URL – in this case https://infosec.rm-it.de/ – iOS will show a notification like this:
Naturally the first thing I want to try is to construct a QR code which will show an unsuspicious hostname in the notification but then open another URL in Safari.
And this is exactly what I found after a few minutes. Here it is in action:
There is no redirect misuse being done on facebook.com, Safari will only access infosec.rm-it.de.
If you scan this QR code with the iOS (11.2.1) camera app:
The URL embedded in the QR code is:
It will show this notification:
But if you tap it to open the site, it will instead open https://infosec.rm-it.de/:
The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.
It probably detects “xxx\” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.
This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.
This issue has been reported to the Apple security team on 2017-12-23.
As of today (2018-03-24) this is still not fixed.
On 2018-04-24 this has been fixed with iOS 11.3.1 and macOS 10.13.4.
CVE-2018-4187 has been assigned to both issues.
Interestingly Firefox and Vivaldi on Windows 10 have yet another way to interpret your example URL. They automatically replace the backslash with a forward slash and use xxx as the hostname.
That’s scary! Any novice user could open a malicious website if he happens to scan the wrong QR code.
Did you report it to Apple btw? I believe they will fix it in the upcoming iOS 11.3 update.
Yes, I reported it on 23rd of December to Apple.
It has not been fixed with iOS 11.3.
“Barcode Scanner 4.4” from zxing shows the complete given string and would fire it to the main browser on an Android 2.3.7 CG7.
Yes, that is fairly old – the only way to protect me from recent flaws :-DDD
Btw, cool bug discovery 🙂
@DFYX ; you must use %5C instead the \ ; it should work. But you will have a popup warning on Firefox.
I guess it’s not a issue specific to QRCode Parser/iOS/Safari ; it’s specific to the way browser handled xxx:xxx as user/password for an attempt to a website (such as ftp login).
Browser should be able, as Firefox, to detect these attempts when web sites don’t require any login. Eg.
You are about to log in to the site “infosec.rm-it.de” with the username “xxx%5C%40facebook%2Ecom”, but the website does not require authentication. This may be an attempt to trick you.
Is “infosec.rm-it.de” the site you want to visit?
Interesting, I didn’t know Firefox did that – that’s great!
I think the main issue here is simply that the URL parsing between the camera app and Safari is different.
It doesn’t really matter which format is correct as long as both implement it exactly the same.
This issue appears to be fixed in iOS 11.4 public beta 1
Did you tested it?
It is fixed now in iOS 11.3.1 released today.
why you want to try is to construct a QR code which will show an unsuspicious hostname?
It could have been abused for Phishing.