One downside to iOS 11's awesome built-in QR code scanner in the Camera app is its only been live for a short while. In its short life, there has already been a security vulnerability discovered that was an issue for at least the last 4.5 months, but Apple has finally patched this weakness with its iOS 11.3.1 update.
Ever since at least iOS 11.2.1, if you were to scan a malicious QR code, the popup that shows up in the Camera app could display the URL for what you think you're about to open in Safari when it really would take you to a different domain altogether, which could possibly be a phishing domain meant to look like the domain it said it was sending you to.
Phishing sounds scary enough to stop you from using the Camera app for QR codes or at least use a third-party QR code scanner instead, but now you don't have to. Apple quietly fixed this problem with the iOS 11.3.1 update on Tuesday, April 24, with little fanfare. In fact, Roman Mueller, the security consultant who first discovered the issue, also discovered that the fix went live, writing on his Twitter:
Yep, iOS 11.3.1 fixed the QR parser bug I reported (CVE-2018-4187). Two interesting things: @wester is also credited for it - bug collision? Would be curious [sic] to know when he reported it. And macOS 10.13.4 also gets a fix for it, wasn't even aware of it being a problem there.
And with this my Twitter handle is now posted at an official Apple security advisory page: support.apple.com/en-us/HT208743
If you dive into the 11.3.1 security content log, you might not think Apple implemented the fix. However, look under "LinkPresentation," and you can see what Mueller is talking about here:
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)
Regardless of who ultimately alerted Apple to the QR code-scanner vulnerability, the company has now taken the steps to patch it in not only iOS 11.3.1 but also the first and second beta versions for iOS 11.4. While iOS 11.3.1 released at the time of this article, the first 11.4 beta went live April 2.
If you want to use your iPhone's built-in scanner now that the security problems are done with, make sure to check out our iOS 11 Camera guide to learn how it's done.