Posted on March 30, 2018 at 6:32 PM
The flaw was discovered three months ago, but Apple has not attempted to fix it yet. It affects the QR code reading part of the camera.
Just some several days ago, security researchers discovered a group of malware contaminated QR reader apps on the Play Store. The apps were reportedly downloaded at least 500,000 times. And now it seems the iOS platform has also suffered from its own attack.
A security researcher at InfoSec company, Roman Mueller, reported that he had discovered a flaw in the iOS platform. The flaw was located in the iPhone camera app and affected the way it managed QR codes. The vulnerability led any user to a malicious destination through redirection.
Mueller noted that the flaw was located on the QR code scanning ability of the app, which is done automatically. As a result, a URL that is not suspicious is shown, and users are led to some infected websites.
Which iOS is affected?
Mueller showed his discovery with some examples. In his example, the QR code that the camera app of the iPhone recorded showed a link that led to Facebook.com. The link was through Safari, Apple’s default browser. After pressing the link, the user would then be directed to Mueller’s own website. He also managed to show the notification which popped up when the camera scanned the QR code. The phone was using an iOS 11.2.1 version.
The iOS 11 saw the introduction of a new built-in camera for Apple products. The built-in camera app allows users to be able to scan through QR codes. These codes allow them to get to any link or access any content in the code. This also enabled users to save space on their phones because there would be no need for third-party apps on their phones.
According to Mueller, only a few minutes are needed to create a link to show after the QR code scanning. The link doesn’t have to be legit or anything, therefore making it dangerous for the users. He also added that the flaw was dangerous for users if cybercriminals pounced on it. If hackers can get to it, they can lead users to phishing sites through which they will have their personal information taken.
Mueller notified the parent company, Apple, about the flaw back in December, but the company has not fixed it yet. Due to the time elapsed since the notification to Apple, Mueller decided it was better if he showed the flaw publicly. As a result, he hopes that as the security world will be restless, Apple will be moved to produce a solution. The flaw is easy to exploit, showing its seriousness, and a patch should be released immediately.
Hackers have always tried to find ways to capitalize on the technology industry. Given chances like this, they will pounce and when they do, the consequences will be great. Users are the only people at risk, and it would be wise for Apple to find a way to solve this problem quickly. Considering their great detail to security, it is best they move forward on it.