A vulnerability in the QR code reader built into the iOS camera app could allow users to be directed to a malicious website without their knowledge.

As of iOS 11, you can simply point your iPhone at a QR code using the standard camera app, and it will read and act on the code. In the case of an embedded website URL, iOS shows you the link address and asks you to tap to confirm you want to visit it. But you may not be visiting the link displayed …


Infosec found that it is easy to fool the reader such that it displays one URL but visits a different one. The site demonstrates this with a QR code which asks you if you want to open facebook.com in Safari, but in fact sends you to its own website.

If you scan [the QR code below] with the iOS (11.2.1) camera app, it will show this notification:

Open “facebook.com” in Safari

But if you tap it to open the site, it will instead open https://infosec.rm-it.de/

All it takes to achieve this is to embed an URL in this format:


iOS displays the first URL but takes you to the second one. Here’s the QR code so you can try it for yourself:

The site says that the glitch was reported to Apple on December 23 last year, but still hasn’t been fixed. We’ve reached out to Apple for comment, and will update with any response. You can see other uses of QR codes in our ‘top 10 uses’ piece.

Check out 9to5Mac on YouTube for more Apple news:

About the Author

Ben Lovejoy's favorite gear