With iOS v11, the iOS camera app is continually looking for QR codes and, when found, displays a confirmation message prompting the user whether they wish to open Safari at that URL. But there's a URL parsing error which allows the true URL domain to be hidden behind a spoofed display URL. By exploiting the URL parsing flaw one domain can be shown while another entirely different domain is visited.
Full episode at twit.tv/sn657
Bandwidth for TWiT Bits is provided by CacheFly.