Recently, Apple’s iOS mobile platform, which is well-known for its security and stability, is frequently exposed to serious vulnerabilities that affect the security of the system. QR Code scanning is the default in the original camera application of iOS has appeared a flaw that the application automatically opens a malicious Web site without the user’s knowledge after scanning the barcode.
On iOS 11, users simply open the default camera app and direct the camera of the iPhone or iPad to a QR code that is able to read and interact with the code in a convenient way. In cases where the QR code integrates the URL of a site, iOS will display the link and ask if you want to confirm access. However, in fact, it is easy to deceive this feature of iOS by displaying a URL link but actually brings the user to another link. This is the discovery of the Infosec site and they reproduced this dangerous reality with a code-linking QR code that opens the facebook.com page but is actually their own website.
You can test yourself by scanning the QR code below with the camera app on iOS 11.2.1 or higher:
Sure you will get the message: Open “facebook.com” in Safari but when clicked the system will access infosec.rm-it.de. The way that Infosec “trick” iOS, in this case, is that they have embedded the website into QR code in the following format: https: // xxx \ @ facebook.com: 443@infosec.rm-it.de /
Infosec said they have Apple has reported this vulnerability since December 23rd, but did not understand why it has not been resolved and until now Apple has not received any official response.