{"id":58318,"date":"2018-03-27T09:17:26","date_gmt":"2018-03-27T00:17:26","guid":{"rendered":"http:\/\/www.softantenna.com\/wp\/?p=58318"},"modified":"2018-03-27T09:17:26","modified_gmt":"2018-03-27T00:17:26","slug":"ios-11-qr-code-vulnerability","status":"publish","type":"post","link":"https:\/\/softantenna.com\/blog\/ios-11-qr-code-vulnerability\/","title":{"rendered":"iOS 11\u306eQR\u30b3\u30fc\u30c9\u30ea\u30fc\u30c0\u30fc\u306b\u8aa4\u8a98\u5c0e\u306e\u8106\u5f31\u6027\u304c\u767a\u898b\u3055\u308c\u308b"},"content":{"rendered":"<p><img decoding=\"async\" style=\"display:block; margin-left:auto; margin-right:auto;\" src=\"https:\/\/softantenna.com\/blog\/wp-content\/uploads\/2018\/03\/Iiphone-qr-code-bug.jpg\" alt=\"Iphone qr code bug\" title=\"iphone-qr-code-bug.jpg\" border=\"0\" width=\"1200\" height=\"849\" \/><\/p>\n<p>iOS 11\u306e\u30ab\u30e1\u30e9\u30a2\u30d7\u30ea\u306b\u306f\u3001QR\u30b3\u30fc\u30c9\u3092\u8aad\u307f\u8fbc\u307f\u6307\u5b9a\u3055\u308c\u305fURL\u3092\u30d6\u30e9\u30a6\u30b6\u3067\u958b\u304f\u3053\u3068\u304c\u3067\u304d\u308bQR\u30b3\u30fc\u30c9\u30ea\u30fc\u30c0\u30fc\u306e\u6a5f\u80fd\u304c\u642d\u8f09\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3068\u3053\u308d\u304c\u3053\u306eQR\u30b3\u30fc\u30c9\u30ea\u30fc\u30c0\u30fc\u306b\u4e0d\u5177\u5408\u304c\u5b58\u5728\u3057\u3001\u672c\u6765\u306eURL\u306e\u30db\u30b9\u30c8\u540d\u3068\u306f\u7570\u306a\u308b\u30db\u30b9\u30c8\u540d\u3092\u901a\u77e5\u6642\u306b\u8868\u793a\u3057\u3066\u3057\u307e\u3046\u4e0d\u5177\u5408\u304c\u5b58\u5728\u3059\u308b\u3068\u6307\u6458\u3055\u308c\u3066\u3044\u307e\u3059(<a href=\"https:\/\/www.macrumors.com\/2018\/03\/26\/ios-11-qr-code-vulnerability\/\">MacRumors<\/a>)\u3002<\/p>\n<p>\u8106\u5f31\u6027\u3092\u767a\u898b\u3057\u305f<a href=\"https:\/\/infosec.rm-it.de\/2018\/03\/24\/ios-camera-qr-code-url-parser-bug\/\">Infosec<\/a>\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u7814\u7a76\u8005Roman Mueller\u6c0f\u306f\u3001\u3053\u306e\u4e0d\u5177\u5408\u3092\u60aa\u7528\u3057\u3066\u3001\u901a\u77e5\u3067\u8868\u793a\u3055\u308c\u305f\u30db\u30b9\u30c8\u540d\u3068\u5168\u304f\u7570\u306a\u308bWeb\u30b5\u30a4\u30c8\u306b\u30e6\u30fc\u30b6\u30fc\u3092\u8a98\u5c0e\u3067\u304d\u308b\u3068\u3057\u3001\u5b9f\u969b\u306b\"facebook.com\u3092\u958b\u304f\"\u3068\u3044\u3046\u901a\u77e5\u3092\u8868\u793a\u3057\u305f\u3042\u3068\u3001\u81ea\u5206\u306e\u30b5\u30a4\u30c8\u3092\u30d6\u30e9\u30a6\u30b6\u3067\u958b\u304f\u30c7\u30e2\u3092\u516c\u958b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30ab\u30e1\u30e9\u30a2\u30d7\u30ea\u306eQR\u30b3\u30fc\u30c9\u8aad\u307f\u53d6\u308a\u6a5f\u80fd\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u308bURL\u306e\u89e3\u6790\u51e6\u7406\u304c\u6b63\u3057\u304f\u304a\u3053\u306a\u308f\u308c\u3066\u304a\u3089\u305a\u3001\u30db\u30b9\u30c8\u540d\u304c\u6b63\u3057\u304f\u5207\u308a\u53d6\u3089\u308c\u3066\u3044\u306a\u3044\u3053\u3068\u304c\u539f\u56e0\u3068\u306e\u3053\u3068\u3002<\/p>\n<p><img decoding=\"async\" style=\"display:block; margin-left:auto; margin-right:auto;\" src=\"https:\/\/softantenna.com\/blog\/wp-content\/uploads\/2018\/03\/Iios_3-300x294.jpg\" alt=\"Ios 3 300x294\" title=\"ios_3-300x294.jpg\" border=\"0\" width=\"300\" height=\"294\" \/><\/p>\n<p>\u5177\u4f53\u7684\u306b\u306f\u4e0a\u306eQR\u30b3\u30fc\u30c9\u304c\u8868\u3059\u300chttps:\/\/xxx\\@facebook.com:443@infosec.rm-it.de\/\u300d\u3068\u3044\u3046URL\u3092\u8aad\u307f\u8fbc\u307e\u305b\u308b\u3068\u3001\u300cfacebook.com\u300d\u304c\u901a\u77e5\u3068\u3057\u3066\u8868\u793a\u3055\u308c\u308b\u306e\u306b\u3082\u304b\u304b\u308f\u3089\u305a\u3001Safari\u3067\u306f\u300cinfosec.rm-it.de\u300d\u304c\u958b\u304b\u308c\u3066\u3057\u307e\u3046\u3088\u3046\u3067\u3059(iOS 11.2.6\u3067\u5b9f\u969b\u306b\u78ba\u8a8d\u3067\u304d\u307e\u3057\u305f)\u3002<\/p>\n<blockquote><p>The URL embedded in the QR code is: https:\/\/xxx\\@facebook.com:443@infosec.rm-it.de\/ <\/p>\n<p>But if you tap it to open the site, it will instead open https:\/\/infosec.rm-it.de\/ <\/p>\n<p>The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does. It probably detects \u201cxxx\\\u201d as the username to be sent to \u201cfacebook.com:443\u201d. While Safari might take the complete string \u201cxxx\\@facebook.com\u201d as a username and \u201c443\u201d as the password to be sent to infosec.rm-it.de. This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.\n<\/p><\/blockquote>\n<p>QR\u30b3\u30fc\u30c9\u306e\u554f\u984c\u306fApple\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c1\u30fc\u30e0\u306b\u5bfe\u30572017\u5e7412\u670823\u65e5\u306b\u5831\u544a\u6e08\u307f\u3060\u3063\u305f\u306e\u306b\u3082\u304b\u304b\u308f\u3089\u305a\u30012018\u5e743\u670824\u65e5\u306e\u6bb5\u968e\u3067\u4fee\u6b63\u3055\u308c\u3066\u3044\u306a\u3044\u3068\u8aac\u660e\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>iOS 11\u306e\u30ab\u30e1\u30e9\u30a2\u30d7\u30ea\u306b\u306f\u3001QR\u30b3\u30fc\u30c9\u3092\u8aad\u307f\u8fbc\u307f\u6307\u5b9a\u3055\u308c\u305fURL\u3092\u30d6\u30e9\u30a6\u30b6\u3067\u958b\u304f\u3053\u3068\u304c\u3067\u304d\u308bQR\u30b3\u30fc\u30c9\u30ea\u30fc\u30c0\u30fc\u306e\u6a5f\u80fd\u304c\u642d\u8f09\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3068\u3053\u308d\u304c\u3053\u306eQR\u30b3\u30fc\u30c9\u30ea\u30fc\u30c0\u30fc\u306b\u4e0d\u5177\u5408\u304c\u5b58\u5728\u3057\u3001\u672c\u6765\u306eURL\u306e\u30db\u30b9\u30c8\u540d\u3068\u306f\u7570\u306a\u308b [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":58319,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"swell_btn_cv_data":"","footnotes":""},"categories":[46],"tags":[3303,3845],"class_list":["post-58318","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ios","tag-ios","tag-ios11"],"_links":{"self":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/posts\/58318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/comments?post=58318"}],"version-history":[{"count":0,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/posts\/58318\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/media\/58319"}],"wp:attachment":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/media?parent=58318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/categories?post=58318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/tags?post=58318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}