[pixelbath]

Ok, taking this story at face value _despite_ it being from the Daily Mail...if your phone can "instantly download malware onto your device, stealing your location and personal information" without any prompting or further user action by simply visiting a URL, that seems like something the FBI should be warning device manufacturers about instead of the average person.

"QR codes scary and bad!" isn't a very productive line of discussion.

[iudqnolq]

It's funny how info travels. A local news site did a story about fraudsters covering up the "scan to pay" qr codes on parking meters with qr codes that take you to a fraudulent site. Totally plausible.

They throw in an unsourced assertion at the end that maybe hacking is possible. That then becomes the focus of this daily mail article.

https://news.ycombinator.com/item?id=35809719

[rolph]

How To Hack Using QR Codes

https://hackeracademy.org/how-to-hack-using-qr-codes/

a nontrivial amount of effort has been applied to this topic

[pixelbath]

That article is stunningly light on actual substance, other than "you can generate QR codes with this repo" with a link to a repository that doesn't exist anymore. The best case they give for "issuing commands" is encoding a WiFi access point into a QR code. So you can encode a URL, or you can encode your WiFi data, because the data in a QR code is _literally text strings_. You could _possibly_ stick some malicious Javascript in it, but again, if your device is allowing JS to randomly exfiltrate data from your phone through your browser, something worse is going on.

The actual statement from the FBI on this subject says "While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code." So the danger is really visiting malicious URLs, which was the entire point of my previous post.

[arp242]

I guess the assumption is that people just click "sure" when asked for location info "because whatever". I don't use these QR codes, but so many things apps and websites seem to ask for it, it probably doesn't stand out as much as it should. And especially in a situation where you're distracted by your friends or that exciting date or whatever after a beer or two I could imagine me doing that as well to be honest. I'm not stupid, but I'm also not on 100% alert all the time.

[mr_toad]

The apps that the restaurants want you to download are probably more of a privacy concern than the fake ones.