 People on infosec Twitter keep saying it's extremely bad that lots of people scanned a random QR code. But I'm genuinely not sure how it's different than clicking on a link? My understanding is the flow for most users goes: - take picture with phone Is the issue that the preview step doesn't exist for a lot of people? Otherwise it seems similar to being presented with any url at all. 18 comments | Expand all CWs
@darius i'm guessing also that maybe with URLs you can recognize the domain and have a bit more confidence, vs a totally random image? But that's just a guess. @d6 yeah, I guess I'm shocked that there are qr scanners that don't have a required "preview the URL before opening" step
[DATA EXPUNGED]
@darius yeah I think the big thing is the lack of preview on the URL, which a lot of QR code scanning ~experiences~ have fixed by previewing the QR codes you scan anyway
[DATA EXPUNGED]
 @darius I think the issues are: QR codes are opaque, so you have no idea what one will do, whereas you can see a URL's contents. QR codes can hold arbitrary data, not just URLs, so you might exercise non-browser code paths that URLs can't reach. You might also encode an app-specific deeplink to trigger bugs in, like, poorly written cryptoshit wallet programs. It's probably 75% paranoia, but I wouldn't do it. @ieure can't you do an opaque app specific deep link by using a URL shortener and pointing it to say zoom://whatever and open a zoom meeting? Just as an example Also I contend that many many people do not have the digital literacy to understand even the slightest bit of what a plaintext URL is telling them.  @darius @ieure hmm I think there are code paths available via QR that aren't available to a bitly redirect, like maybe vcard? Hmmm, there's lots of interesting stuff to do here https://github.com/zxing/zxing/wiki/Barcode-Contents I like "join my wifi network" @darius  @darius I don't know much about QR codes, but I thought part of their deal was that they could encode other things that devices could still recognize. Thinking of this old blog post about using them to pass wifi credentials: https://a.wholelottanothing.org/2019/12/17/making-painless-guest-wifi-with-qr-codes/ Not sure if there is actually additional risk there compared to URLs, though! @danbruno someone on Twitter brought this up and it's the only truly compelling difference to me
[DATA EXPUNGED]
 @darius I had assumed it's because QRs can do a lot more than visit URLs - send text messages, place a call, add a contact, link to an app, etc - and that a lot of folks don't expect that and it could be used for nefarious purposes if not careful, especially at a large scale with unexpecting folks. but, vague!  |
Gregory's Server
@darius yeah, as far as I can tell the problem isn't anything to do with the QR code, it is applications that decode them and act without confirmation, like opening a link just by scanning it without anything else.