iPhone QR code reader bug can send users to malicious websites

QR Reader is one of those iOS 11 features that has been relatively safe from vulnerabilities. Here’s a new critical vulnerability that was just discovered in iPhone’s QR reader.

iPhone’s QR Reader can be easily tricked

Beginning with iOS 11, iPhone users can scan QR codes without third-party apps. All you need to do is open the camera and point it towards to the QR code that you wish to scan.

Though this feature is rather simple to use, a new QR code reader vulnerability can easily lead to full device compromise. 

The reason behind this is that the stock camera app is unable to properly parse URL associated with the QR Code. This vulnerability affects all iOS versions up to iOS 11.2.6.

iPhone QR Code Reader

Hacker Faker Roman reported this bug to Apple’s security team on December 23, 2017. Surprisingly, Apple is yet to take necessary action in order to patch it.

Hopefully, it will be patched in the upcoming iOS 11.3 firmware update, which will also address a lot of other issues.

How this iOS 11 QR code reader bug works

  • The user scans a QR code with his iPhone.
  • iOS displays a notification regarding the URL associated with the code. This web address follows the format – https: // xxx \ @ <website A>: 123@<website B>
  • The user can visit website A in Safari by tapping the notification.
  • Ideally, the camera app should detect “xxx \” as the username and send it to “<website A>:123”. However, it takes “xxx \ @ <website A>” as the username and sends “123” as the password to website B.
  • Now instead of going to website A, Safari will instead open website B, which could potentially harm your device.

Here’s how this vulnerability looks like in action.

How can you stay protected?

This bug is dangerous for users who tend to use QR codes a lot. However, it can’t be a considered a “critical” vulnerability since a lot of users don’t have a jailbroken device.

The real danger lies in jailbroken devices that already have powerful exploits in place. These exploits could end up giving a hacker unfettered root access to your device.


Until Apple rolls out a patch, steer clear of QR codes. If you really need to scan a code, ensure it comes from a reputed source or website.

For more iPhone security news and updates, give us thumbs up on Facebook and Twitter.

Leave a Reply

Share via
Copy link
Powered by Social Snap