Hacker News new | ask | show | jobs
by onetimeuse92304 910 days ago
The issue is, at least for me, I consider all QR codes as unsafe. Unfortunately, you don't know where the QR code leads you before you scan it and then it is already too late. So you can't do the equivalent of inspecting the link before you click it.

Recently we were in a restaurant which required scanning a QR code to get served (for some reason asian restaurants like doing this). The codes were labels attached to the menu. I told the waitress "I can't scan the codes because I don't know who put the QR codes there". She told "the codes lead to their website". I told her "I don't know that, it takes a moment to print a label that looks exactly the same to my eye". She told me "it would then not point to their website". I respond if she knows what MITM attack is. She responded "if you can't afford a phone we should leave and go somewhere else".

The funniest is those QR codes left at random in public. I imagine scanning these is like finding a random pendrive and putting it in your computer.
13 comments
hnlmorg 910 days ago
Not only is this the wrong place to vent your annoyances with QR codes (it’s tangential to the Show HN) but you honestly come across as an unpleasant customer if that’s how you interact with your restaurant servers (you could have just said “my camera is broken, do You have an address I can type instead”).
link
EduardoBautista 910 days ago
> Unfortunately, you don't know where the QR code leads you before you scan it and then it is already too late.

iOS shows the domain if it is a URL and you have to tap it. It's no different from tapping on a link on a website, which I would say is more insecure since you don't even get the domain info before tapping.

link
dweekly 910 days ago
This is true, but also mostly moot, sadly, due to the pervasive use of URL shorteners for QR code services.

So instead of seeing a nice hover-over of "SuperDeliciousItalian.com/menu", as often as not it will be "qr.to/f2CrS" or somesuch.

So exposing the URL encoded in the QR code doesn't provide all the information you need to assess its validity or safety.

link
hnlmorg 910 days ago
That’s a risk with any and all hyperlinks. There’s nothing unique to QR codes with that.
link
dylan604 910 days ago
while that's not exactly unique, it is something specific to QR codes. the longer the URL, the more complex the QR code will be. the more complex, the larger the block will need to be to ensure "scanability". most of the online free QR code generators I've seen have all recommended using a shortner. now, maybe they are trying to do that to collect all of the metrics they can by recommending a service that offer or get kickbacks from the shortening service.
link
hnlmorg 910 days ago
An attacker is far more likely to hide behind puny code or a misleading subdomain like microsoft.com.orders.com because that adds more legitimacy than a url shortener.

Professional uses of QR in advertisements would use URL shortening on their own domain, eg https://o2.com/trainpromo2 as that way they can demonstrate authenticity as well as owning the telemetry themselves.

Table service in restaurants don’t need to worry about data density because they have their customers literally sat at the table with the QR code in hand (it doesn’t get any easier to scan a code than like that).

If you’re dealing with a restaurant small enough not to have anyone manage the design then you can also bet that restaurant isn’t worth the effort targeting for this kind of attack. Think about what it would entail:

1. Having someone physically visit the restaurant

2. Measure that QR code so that you know the dimensions of the sticky label you want to print

3. Now visit that restaurant dozens more times to replace the existing QR codes. Each time hoping you get a different menu and/or table

4. Pull of this replacement in a short enough time so that people don’t report that their QR code does something different before you’ve captured enough devices (whatever your attack might be).

5. Hope that the owners don’t notice that the QR codes are now stickers (eg they don’t sit flush on the menu)

6. And hope that they don’t refresh their menus regularly. Which might even just happen because someone spilt the QR code / kids have drawn on it accidentally/ etc

7. And all the while, hope that you don’t get caught. Because restaurants will usually have cameras up. You better also not pay for your meal on card too.

It’s such an inefficient yet also high risk and short lived attack that it’s just not all that likely anyone would bother.

I do get the concern about opening up random websites, but rather than singling out QR codes specifically and letting everything else rot, I suggest we look at the root cause of the issues here. And that root cause isn’t QR codes.

link
dylan604 910 days ago
you do realize that a QR code "attack" doesn't have to be malicious, yeah? it could be some gorilla PR campaign of something like a local band essentially rick rolling the users. or sending them to the menu of the competing restaurant up the street. or goatse. or or or...

at that point, it could just be someone that printed up a bunch of stickers and plastered them on anything they could find. people love jokes. like unscrewing the salt/pepper shakers before they leave the restaurant type of asshattery. you really just need to get off this white knighting of the QR code and be a little more creative in your thinking of what could go wrong.

at this point, i'm just trying to keep going to make it look like this reply's length is worthy of what ever rabbit hole you went down in some vain attempt at trying to prove a point.

link
t_mann 909 days ago
Many URL shortening services actually do offer a way of inspecting the URL before loading it. And the issue of URL shorteners is in no way specific to QR Codes (they originated on Twitter, where they are still most commonly used by my observation, even though the reason for doing so has gone away). QR Codes are usually used to point to content on your own domain, so you can control the URL, hence very little reason to use shorteners, which would likely cost you a few visitors.
link
chatmasta 910 days ago
There are less privacy assurances when opening a QR code, since it can encode a URL with precise physical information embedded within its query parameters (like "table number" at a restaurant, for example). That kind of information isn't available to the typical website.

(FWIW, I actually wish more table QR codes did contain these parameters - why do I need to enter the table number in the form after navigating to the online menu? I hate these things btw...)

link
beachy 910 days ago
> Unfortunately, you don't know where the QR code leads you before you scan it and then it is already too late

What are you so scared of? It isn't the 90s where by tricking someone into following a dodgy link their windows machine was instantly pwned.

link
simon_acca 910 days ago
Remote code execution vulns are still routinely discovered, for example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4199...
link
ianbutler 910 days ago
Trust me when I say randos aren’t dropping modern 0days on restaurant menus. Not when a novel attack can fetch millions through brokers.
link
simon_acca 910 days ago
Not only do I agree with you, but I don’t think anyone would be able to tell an attack was imminent if they were to see the URL anyway. I was just providing facts to the comment above that didn’t seem to think RCE are a thing anymore.
link
ianbutler 910 days ago
Makes sense, my phrasing was poor I should have made that a more general statement not directed at you necessarily. I think the average techy has through some combination of general news like this and just enough technical know how formed an unrealistic threat model for themselves.
link
simon_acca 910 days ago
> the average techy has through some combination of general news like this and just enough technical know how formed an unrealistic threat model for themselves.

amen :)

link
EduardoBautista 910 days ago
I've never heard of this domain before, so I shouldn't click on it because vulnerabilities in the browser are still routinely discovered.

Sorry for the sarcasm, but if you trust clicking on links in a browser, QR codes should be fine as well.

link
fiddlerwoaroof 910 days ago
Yeah, if your threat model involves not trusting links, you should be disabling JavaScript and CSS by default and probably not browsing the web in the first place. Libpng and other libraries frequently have fairly critical bugs that are a bigger concern than MitM attacks.
link
simon_acca 910 days ago
There’s apps that just scan the qr code into a text field no matter what its content is, then you can inspect the URL manually.

Unfortunately there’s a deeper problem in this security model, in that only a tiny tiny fraction of the web’s userbase knows how to assess a URL, and even experts can easily struggle

link
ImportOllie 910 days ago
If you consider all qr codes unsafe then use a tool to check them don't lecture the waitress on man in the middle attacks...
link
ho_schi 910 days ago
I see some valid points.

    1. A restaurant should   provide a menu printed on paper or a panel. Sometimes pictures are used.
    2. Verbal communication serves that purpose also well. And friendly manner.
    3. Some cameras don’t  display the read input properly. Input is always in error until it is validated. Here is user validation required.
    4. You don’t need to invent excuses like “my camera is broken, I forgot my phone, Bad eyesight…”.
    5. You don’t have to carry around a camera, a cellular access terminal and a computer (consider this as description of a smartphone) with you.
    6. The website can load arbitrary data with JavaScript and mine Bitcoin in a sandbox. It is not safe because it will drain the battery.
I like QR-Codes. They are analog and digital at same time, printed on paper and machine-readable and nobody ruined it with incompatibility. If possible the payload is printed as ASCII aside the codes.

PS: Similar. To provide a common base, prevent exclusion of unwanted customers and prevent against malicious data processing some jurisdictions require cash payment options.

link
precommunicator 910 days ago
> So you can't do the equivalent of inspecting the link before you click it.

Of course you can. Use an application that allows it.

link
chickenpotpie 909 days ago
IMO this is paranoid behavior and not healthy. Part of existing in society is having reasonable trust that just because someone can take advantage of you in a moment, doesn't mean they're going to. You're getting in an argument with a server because of your fear that a local hacker printed out a sticker, walked into your local restaurant, seamlessly put the sticker onto the table, didn't get caught, you just happened to sit at the exact table they picked, and whatever vulnerability they're trying to exploit is compatible with the exact device you have. Thats not going to happen.

Scan the QR code, dude.

link
komlan 910 days ago
It depends on which app you are using to scan the codes. For Trak [1], the main use case is to scan QR codes you made yourself (or someone from your company made). The scanner simply rejects anything it doesn't recognise as a valid (app-specific) code.

[1] https://admin.trak.codes/

link
llamaInSouth 910 days ago
Android 14's camera shows you the URL and doesn't load it right away...
link
jddj 910 days ago
There are open source QR scanner apps on F-Droid which actually make you tick a box saying "I've checked the above URL and I want to visit that website" before they will open the browser.
link
kybernetyk 907 days ago
Aren't there apps that just show the embedded text inside a QR instead of just opening the URL in a browser?
link
Grazester 910 days ago
My QR code scanner shows me the content of the QR code. This is my Google Pixel phone btw
link