[dweekly]

This is true, but also mostly moot, sadly, due to the pervasive use of URL shorteners for QR code services.

So instead of seeing a nice hover-over of "SuperDeliciousItalian.com/menu", as often as not it will be "qr.to/f2CrS" or somesuch.

So exposing the URL encoded in the QR code doesn't provide all the information you need to assess its validity or safety.

[hnlmorg]

That’s a risk with any and all hyperlinks. There’s nothing unique to QR codes with that.

[dylan604]

while that's not exactly unique, it is something specific to QR codes. the longer the URL, the more complex the QR code will be. the more complex, the larger the block will need to be to ensure "scanability". most of the online free QR code generators I've seen have all recommended using a shortner. now, maybe they are trying to do that to collect all of the metrics they can by recommending a service that offer or get kickbacks from the shortening service.

[hnlmorg]

An attacker is far more likely to hide behind puny code or a misleading subdomain like microsoft.com.orders.com because that adds more legitimacy than a url shortener.

Professional uses of QR in advertisements would use URL shortening on their own domain, eg https://o2.com/trainpromo2 as that way they can demonstrate authenticity as well as owning the telemetry themselves.

Table service in restaurants don’t need to worry about data density because they have their customers literally sat at the table with the QR code in hand (it doesn’t get any easier to scan a code than like that).

If you’re dealing with a restaurant small enough not to have anyone manage the design then you can also bet that restaurant isn’t worth the effort targeting for this kind of attack. Think about what it would entail:

1. Having someone physically visit the restaurant

2. Measure that QR code so that you know the dimensions of the sticky label you want to print

3. Now visit that restaurant dozens more times to replace the existing QR codes. Each time hoping you get a different menu and/or table

4. Pull of this replacement in a short enough time so that people don’t report that their QR code does something different before you’ve captured enough devices (whatever your attack might be).

5. Hope that the owners don’t notice that the QR codes are now stickers (eg they don’t sit flush on the menu)

6. And hope that they don’t refresh their menus regularly. Which might even just happen because someone spilt the QR code / kids have drawn on it accidentally/ etc

7. And all the while, hope that you don’t get caught. Because restaurants will usually have cameras up. You better also not pay for your meal on card too.

It’s such an inefficient yet also high risk and short lived attack that it’s just not all that likely anyone would bother.

I do get the concern about opening up random websites, but rather than singling out QR codes specifically and letting everything else rot, I suggest we look at the root cause of the issues here. And that root cause isn’t QR codes.

[dylan604]

you do realize that a QR code "attack" doesn't have to be malicious, yeah? it could be some gorilla PR campaign of something like a local band essentially rick rolling the users. or sending them to the menu of the competing restaurant up the street. or goatse. or or or...

at that point, it could just be someone that printed up a bunch of stickers and plastered them on anything they could find. people love jokes. like unscrewing the salt/pepper shakers before they leave the restaurant type of asshattery. you really just need to get off this white knighting of the QR code and be a little more creative in your thinking of what could go wrong.

at this point, i'm just trying to keep going to make it look like this reply's length is worthy of what ever rabbit hole you went down in some vain attempt at trying to prove a point.

[hnlmorg]

> you do realize that a QR code "attack" doesn't have to be malicious, yeah? it could be some gorilla PR campaign of something like a local band essentially rick rolling the users. or sending them to the menu of the competing restaurant up the street. or goatse. or or or...

They can do that already just by placing their logo, or whatever, instead of a QR code.

Plus whether it is malicious or not, it’s still hugely inefficient given all the other points I raised.

> at that point, it could just be someone that printed up a bunch of stickers and plastered them on anything they could find. people love jokes.

Again, nothing about this needs to be a QR code

> like unscrewing the salt/pepper shakers before they leave the restaurant type of asshattery.

And yet nobody suggests you shouldn’t use salt and pepper shakers at a restaurant. So why are QR codes suddenly “dangerous” if they’re at the same level of “asshattery”?

> at this point, i'm just trying to keep going to make it look like this reply's length is worthy of what ever rabbit hole you went down in some vain attempt at trying to prove a point.

I was giving you a breakdown as to why people don’t do the kind of QR attacks / jokes that you seem to assume are common place rather than just saying “nice theory but that doesn’t happen in the real world”. There’s no need for you to be snarky.

[dylan604]

> They can do that already just by placing their logo, or whatever, instead of a QR code

What in the world are you on about? Just slapping a logo on top of a QR code suggests to me you’ve lost the plot. The point is to hide your attempt at subverting the “attack”. You’re specifically trying to get the person to go to some other site in the normal process of scanning a QR code. Covering the original QR code with a logo would be obvious some subterfuge is at hand, and totally defeats the purpose. How is that not obvious to you?

> I was giving you a breakdown as to why people don’t do the kind of QR attacks / jokes that you seem to assume are common place rather than just saying “nice theory but that doesn’t happen in the real world”. There’s no need for you to be snarky

No, this is you: https://xkcd.com/386

[t_mann]

Many URL shortening services actually do offer a way of inspecting the URL before loading it. And the issue of URL shorteners is in no way specific to QR Codes (they originated on Twitter, where they are still most commonly used by my observation, even though the reason for doing so has gone away). QR Codes are usually used to point to content on your own domain, so you can control the URL, hence very little reason to use shorteners, which would likely cost you a few visitors.