Mueller Fight

Written by:
Damian Jennings
Date Posted:
27 March 2018
Category:
Blog

Do you use the (fairly) new ability that your iPhone camera has to be able to decipher QR codes? No, me neither.

But, if you do, then watch out. A German researcher has worked out a flaw in the way the camera app handles QR data.

Roman Mueller worked out that Naughty People could make you go to www.naughtypeople.com rather than your intended destination of www.fluffykittens.com

Ruh roh.

And it’s pretty easy. You do some code like this:

https://xxx\@fluffykittens.com:443@hyve.com/bwahaahaa

(I made one, it works at the time of going to press).

Then, when you point your camera at the QR thingy, it will say “Do you want to open fluffykittens.com in Safari.

Issue is that Safari will actually take you to hyve.com/bwahaahaa – which creates the problem.

Now, when I was 14, if QR codes and iPhones existed I can imagine making loads of stickers of QR codes with something like “Jesus loves you, click for redemption”. When the unwitting fop QRd that, they’d be taken to a video of me on a loop shouting something obscene. Oh how I would have laughed.

But, massive larks aside, this could be used for bad bad things.

It’s not clear where the bug lies, because Apple isn’t very forthcoming sharing their code, oddly enough.

Mueller reported the bug to Apple on December 23 last year and Apple haven’t sorted it, so Mueller told everyone – standard protocol for bug hunters. (We wrote about bug bounties here, it’s quite interesting).

A new version of iOS is due to drop today, probably. So they might have fixed it. Then again, they might not have.

Now, where’s my sheet of sticker paper for the office printer?

Rating: 5.0. From 1 vote.
Please wait...

 

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.