A vulnerability in the QR code reader built into the iOS camera app could allow users to be directed to a malicious website without their knowledge.

As of iOS 11, you can simply point your iPhone at a QR code using the standard camera app, and it will read and act on the code. In the case of an embedded website URL, iOS shows you the link address and asks you to tap to confirm you want to visit it. But you may not be visiting the link displayed …

Infosec found that it is easy to fool the reader such that it displays one URL but visits a different one. The site demonstrates this with a QR code which asks you if you want to open facebook.com in Safari, but in fact sends you to its own website.

If you scan [the QR code below] with the iOS (11.2.1) camera app, it will show this notification:

Open “facebook.com” in Safari

But if you tap it to open the site, it will instead open https://infosec.rm-it.de/

All it takes to achieve this is to embed an URL in this format:


iOS displays the first URL but takes you to the second one. Here’s the QR code so you can try it for yourself:

The site says that the glitch was reported to Apple on December 23 last year, but still hasn’t been fixed. We’ve reached out to Apple for comment, and will update with any response. You can see other uses of QR codes in our ‘top 10 uses’ piece.

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear