What is required to reproduce the issue?
Iphone camera app and a malicious domain QR code → https://aρple.com
Sumary
The internationalised domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike. For example, the Cyrillic, Greek and Latin alphabets each have a letter that has the same shape but different meaning from its counterparts.
Steps to reproduce
- Visit https://www.the-qrcode-generator.com/
- Now enter the domain https://aρple.com and generate the qr code of it
- Scan the website
Expected results
- Camera app detects the puny code domain and redirect to the original domain.
- Camera app detects the puny code domain and do not allow users to redirect to that website via browser
- Camera app warn users against the potential malicious website.
Actual results
Post the QR code is scanned of the domain https://aρple.com instead of redirecting it to apple.com user is redirected to https://xn--aple-bod.com/
Disclosure Timeline
Reported on 17/01/2024, 14:16 Responded by apple team 22/01/2024, 21:49 : Expected behaviour 23/04/2026, 13:50 — Requested for disclosure 10/05/2026, 1:44 PM — Published
If you wanna secure your apps and software do reach out to us at https://vrseclabs.in or email us security@vrseclabs.in