The default Camera app got a few more tricks up its sleeves when iOS 11 was released, and the best addition by far was the inclusion of a built-in QR code reader since that meant no more third-party apps just for QR code scanning. However, Apple's built-in QR code scanner has a vulnerability that could let hackers direct you to a compromised website without you even noticing it.
The vulnerability in question, discovered by security consultant Roman Mueller, happens when the Camera app scans a QR code with a website link. After scanning, it does not properly parse the URL within, which could result in the notification that pops up showing one domain name, while tapping through will take you to a completely different one.
- Don't Miss: Everything You Need to Disable on Your iPhone
Using Roman's example, the URL in the QR code would be embedded as such:
And after scanning the QR code, the popup in your Camera app would say "Open 'facebook' in Safari" but would actually take you to infosec.rm-it.de instead.
While Roman discovered this in iOS 11.2.1, we'd tested it in iOS 11.2.6, the iOS 11.3 beta, and iOS 11.3, and it persisted in all versions. The glitch was reported to Apple on Dec. 23, 2017, but was not officially addressed until April 24, 2018, when iOS 11.3.1 was released to the public.
All a hacker would need to do to trick you into giving up your credentials is create a convincing clone of the website you think you're going to, complete with a URL that looks almost exactly the same as the one its masquerading as, then put it out there on the web and phish until he or she has enough of what they want.
Apple finally fixed the issue, labeled by Apple as CVE-2018-4187, in the iOS 11.3.1 update on April 24, 2018. So, if you like the idea of using your Camera app to scan QR codes, simply update to iOS 11.3.1 on your iPhone.
Whether or not you only scan QR codes daily or almost never, you'll want to disable the QR code scanner in the Camera app if you're worried about this from a security perspective. Even though Apple fixed the issue, it just goes to show how easy it is for hackers to take advantage of you using stock Apple apps.
While the chances of you scanning a malicious QR code are relatively low, you can never be too safe. Either update to iOS 11.3.1 or open up your Settings app, tap on "Camera," then toggle off "Scan QR Codes."
If you find yourself scanning a lot of QR codes and don't want to update to iOS 11.3.1 just yet, you might want to go back to one of your third-party QR code scanners until you're ready to trust Apple again. We personally tested all of the free QR code readers below, and they all failed to load the malicious webpage properly. Some did a web search for the string while others just failed to read the URL at all, treated it like an email link, or just crashed the app. Either way, it was obvious and did not go directly to the malicious website.
- QR Reader for iPhone
- QR Scanner and Barcode Reader
- Free QR Code Reader & Barcode Scanner for iPhone
- QR Code Reader ·
- QR Code Reader - QR Scanner & QR Code Generator
- QR Code Scanner iRocks
- QR Code Reader & Creator.
- QR Code Reader and Scanner
- Barcode Scanner - QR Code Reader & QR Scanner
- Bakodo - Barcode Scanner and QR Bar Code Reader
- QR Code Scanner - QR Reader & Barcode Scanner
Like previously mentioned, the chances that you take a snapshot of a malicious QR code are low, but it's definitely possible, so a third-party app might be good if you're running iOS 11.3 or lower. Otherwise, make sure to install iOS 11.3.1 to be protected.
Editor's note: Article updated on April 24, 2018, when Apple released iOS 11.3.1.