How To: 13 QR Code Scanners That Won't Send You to Malicious Webpages on Your iPhone

13 QR Code Scanners That Won't Send You to Malicious Webpages on Your iPhone

The default Camera app got a few more tricks up its sleeves when iOS 11 was released, and the best addition by far was the inclusion of a built-in QR code reader since that meant no more third-party apps just for QR code scanning. However, Apple's built-in QR code scanner did have a vulnerability at one point that would let hackers direct you to a compromised website without you even noticing it.

While old by now, the vulnerability in question, discovered by security consultant Roman Mueller, happened when the Camera app scanned a QR code with a website link. After scanning, it did not correctly parse the URL within, which could result in the notification that popped up showing one domain name, while tapping through would take you to a completely different one.

Using Roman's example, the URL in the QR code would be embedded as such:

https://xxx\@facebook.com:443@infosec.rm-it.de/

And after scanning the QR code, the pop-up in your Camera app would have said "Open 'facebook' in Safari" but would actually take you to infosec.rm-it.de instead.

All a hacker needed to do to trick you into giving up your credentials was create a convincing clone of the website you thought you were going to, complete with a URL that looked almost the same as the one it's masquerading as, then put it out there on the web and phish until they had enough of what they wanted.

While Roman discovered this in iOS 11.2.1, we had tested it in iOS 11.2.6, the iOS 11.3 beta, and iOS 11.3, and it persisted in all of those versions. The glitch was reported to Apple on Dec. 23, 2017, but was not officially addressed until April 24, 2018, when iOS 11.3.1 was released to the public.

So if you're running anything from iOS 11.3.1 or later, such as iOS 12 or iOS 13, you don't need to worry about the vulnerability. Still, you may be interested in third-party QR code readers if you don't like or trust Apple's.

Update to iOS 11.3.1 or Later to Fix This Issue

Apple finally fixed the issue, labeled by Apple as CVE-2018-4187, in the iOS 11.3.1 update on April 24, 2018. So, if you like the idea of using your Camera app to scan QR codes, simply update to iOS 11.3.1 or later, such as iOS 12 or iOS 13, on your iPhone.

Disable the Camera's Built-in QR Code Scanner

Whether or not you only scan QR codes daily or almost never, you'll want to disable the QR code scanner in the Camera app if you're worried about it from a security perspective. Even though Apple fixed the issue, it just goes to show how easy it is for hackers to take advantage of you using stock Apple apps.

While the chances of you scanning a malicious QR code are relatively low, you can never be too safe. Either update to iOS 11.3.1 or later or open up your Settings app, tap on "Camera," then toggle off "Scan QR Codes."

Use a Third-Party QR Code Scanner Instead

If you find yourself scanning a lot of QR codes and don't want to update to iOS 11.3.1 or later just yet, you might want to go back to one of your third-party QR code scanners until you're ready to trust Apple again.

We personally tested all of the free QR code readers below using the same vulnerability, and they all failed to load the malicious webpage properly. Some did a web search for the string while others just failed to read the URL at all, treated it as an email link, or just crashed the app. Either way, it was obvious and did not go directly to the malicious website.

Three different scanners reading the same QR code.

Like previously mentioned, the chances that you take a snapshot of a malicious QR code are low, but it's definitely possible, so a third-party app might be good if you're running iOS 11.3 or lower. Otherwise, make sure to install iOS 11.3.1 or later to be protected.

Editor's note: Article updated on April 24, 2018, when Apple released iOS 11.3.1.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo and screenshots by Justin Meyers/Gadget Hacks

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest