The vulnerability of the built in application “Camera” QR code reader allows you to direct users to compromised websites, passing them off as safe. This was reported by Infosec researchers who discovered the problem in December last year, but hasn’t waited for fixes.
To convince the user that he will get to the site facebook.com but to actually send it to infosec.rm-it.de the attacker enough to register the URL in this format:
As a result, iOS can only read the first address, while the second will stay out of sight of the system. To be sure, scan the above QR code with the camera of your iPhone or iPad. You will be asked to go to the website Facebook, but you will be taken to a page with content Infosec.
However, all is not so bad as it might seem at first glance. If instead of having to click on the banner immediately, expand it, you can see that when the QR code was a forgery of URLS. In short, mindfulness is everything.
We invite you to discuss this vulnerability in our Telegram chat.