[conradev]

> Firstly, that’s a huge security risk in my mind, it’s like I am trying to open an email attachment from an unknown sender because nobody knows who put up these ads.

It's not like opening an email attachment, it's more like opening a URL. The only documented QR code attack I know of consists of a QR code with a malicious URL (http://isc.sans.edu/diary.html?storyid=12760). The QR code only served as a 'mask' to the URL, where the users were too ignorant to look at the URL before visiting it.

I don't think embedding malicious code in a QR code is practical or possible, mostly because the amount of data it can hold is very small. The only binary format I know of that is commonly used on a QR code is vCard; the rest are plaintext based formats.

[ramisayar]

I used the email analogy cause I figured that would be more obvious for people to recognize the security risk... it's hard to explain things like drive-by downloading for non-techy people.

[Tooluka]

But opening unknown URL IS dangerous. It's like URL shorteners that plague internet since Twitter - you never know where link will take you and what scripts etc. will run in your browser.

[dfxm12]

On my device (android with bar code scanner device), the experience is that I scan a QR code with a URL, it tells me that the QR code has a URL & shows me what the URL is, then gives me the option to visit the link.

Depending on if the URL is a shortened URL, it is just as safe or moreso than regular browsing.

Is your experience different from this?