65 comments

[ 2.3 ms ] story [ 129 ms ] thread
Someone else on HN earlier posted their QR-code scanning Android app[1], which I've been using because it doesn't automatically follow URLs but displays the raw text of the QR code. It's been helpful for me, especially when I've been setting up QR codes for a new wireless router.

[1]: https://github.com/prof18/Secure-QR-Reader

If you want something available on F-Droid check out https://f-droid.org/packages/com.example.barcodescanner
God F-Droid is amazing!

Really wish there was an F-Droid equivalent for iOS.

But Apple probably wouldn't like that.

Ouch. I, on the other hand, would not trust an appId from the example.com domain.
Why? I'm not an Android dev but the appId just identifies an app right?

If the author doesn't have a domain, what should they do instead?

My Samsung Galaxy S9 scans QR code if I point default camera app to a QR code. It doesn't open it by default, but shows a link I can tap on. Within settings you can disable QR scanning too if you like.
I've been using Firefox as a QR code reader, as it too doesn't follow the link, plus it's already there on my home screen.
As I understand it, a QR code is just a URL.

If we were to have standardized font that had distinct characters (there are plenty), it would be no harder for a computer to scan and understand than a qr code, and would take less space on the packaging or app.

The only reason that QR codes are a thing is that, by virtue of them not being human readable, you can put in minutae for tracking, the user doesn't realize what they are getting into, and the user can't modify it to remove offensive parts (like stripping out all the gook in a nGoogle search result URL).

All complaints about tinyURLs in their time are vaid for QR, and then some.

If there was some way to push at least the "good" companies, (like, um... ) to use a url instead of a code... but I fear that boat has sailed.

Reading urls even with a standard font is way way harder than reading a QR (for computers). Often when you see a QR code they will print the url below.
>Often when you see a QR code they will print the url below.

But there is nothing telling you that the QR code is corresponding to the text, for the casual user, a tricky QR code with an URL printed below could be even more deceiving, I mean, say you know the possible issue, manually type the printed URL that seems legit and it is actually legit, someone queueing behind you scans the QR code and bam, he/she gets the "bad" site instead. (I am thinking, there was a post some time ago about parking lots where paying for the parking was through QR codes that were replaced by "bad" ones).

Yes but I could also just sticker my lookalike url over that
It can also cram all that data into only a few square centimeters, which is a godsend in places like packaging, where every square mm is precious.
> If we were to have standardized font that had distinct characters

In addition you'll need checksums to detect folds or scratches on the print. E.g. when the "m" in pets.com is scratched. QR codes have that. You'll want fallbacks for such wear and tear. QR codes can have that (depending on settings when creating, it will repeat the pattern multiple times). You'll need unicode support for all languages in the world (QR is just bits). You'll need to handle (bi)direction (Again: QR is just bits and bytes).

And when you have all that, the solution suffers from the exact same problems as what QR "suffers" from. I, human, cannot read an arab unicode URL that is repeated for redundancy (and one of the three is malicious) or understand the checksums.

I think it's obfuscating the issue to say this is a problem with QR codes. The actual problem is visiting an unknown URL. It doesn't matter if you do that by QR code, clicking a link, or typing it in. The end result is the same. The lesson should be "Don't visit URLs you don't trust" no matter how you enter them into your browser.
Yes, but it is a step further, the QR code is an URL that you (normally) can not read/parse so that you have no way to judge whether it is to be trusted or not (besides the known fake URL issues with Unicode characters which I believe is still a thing).
Same issue with an URL shortener (which are also frequently used with QR code)
It's also true of literally any URL given that the server could just response with a 302 Redirect to any other URL which your browser will happily resolve. That means you can never really trust any URL ever.
It's not obfuscated if app shows you domain name from parsed URL and you must tap to visit. No problem here whatsoever. Crappy QR code apps may be a problem if they automatically open link for you.

Btw I noticed Edge has this handy "Create QR Code for this page" icon next to URL bar when URL bar is selected.

Punycode attacks can make this kind of verification basically impossible.

The problem is that it is dangerous to visit a link. It shouldn’t be.

All browsers let you see the domain of the page you are connected to.
The difference here is, that with classic urls, you have: "visit www.cdc.gov/info2022", so you know the domain, you see that there is no tracking, and you usually recognize the domain itself and can gauge the relative safety just by reading the domain itself.

With a qr code, especially with shorteners and tracking (adding a location token in the url in the QR), you usually get a huge url, that people don't actually read and check but just open... so you open a "www.cdc.gov.someshadeyurl.cn/?...tracking...".

> just by reading the domain itself

Its easy to overlook that. Thinking its safe to click on www.google.com... while the full domain is actually www.google.com.example.com

The comment you are replying to was mostly about meatspace. You don't click links in meatspace, you type them into your browser by hand.

The threat scenario of someone putting a malicious URL on an official-looking document is distinct from someone putting a malicious QR code on an official-looking document as the latter allows all the same malicious URL techniques that work for links while the former involves a human typing out the URL in full (and thus either auto-correcting intentional "typos" or at least having a chance to notice them).

In other words: QR codes allow link spoofing in meatspace. Even if you understand phishing, you might not think to verify that the official looking document with a QR code on it placed in or on the associated official building might be a trap. The mitigation required for this threat scenario is more akin to securing an ATM.

Yes, but if it's just written somewhere, you have to type that in manually, so you notice something strange while typing the suspiciously long url. With qr codes, it scans in a second, and it's easier to miss it, especially if the qr reader automatically opens the url.
(comment deleted)
Exactly. One of the scam email I received had domain

microsoft.com-online.top/review

> The actual problem is visiting an unknown URL.

This should not be a problem. To the extent that it is, it's a software failure and a supplier failure, and the problem lies with the one-and-two-bits browser vendors.

> Don't visit URLs you don't trust

Harder than it sounds if you question what it means to "trust" a URL. Trust to do what? What systems are in place to ensure URLs can be "trustworthy"? Doesn't this just further shrink the internet to the five sites you do "trust"?

Yeahs, ... not visiting is not an option.. but don't feed them after midnight (aka give user agent, referer, cookies, javascript, 3rd party links...)
Doesn't that just shift the problem from "don't visit URLs you don't trust" to "don't use a browser you can't trust"?
It is, but it’s a more realistic proposition to trust a browser, especially as you have very few choices.
Given that there are a billion URLs and one-and-a-bit browsers, the question of whether or not to trust the browser is easier to look at.

Even easier on iOS. Do you trust Safari? No? Well, tough.

I bring in the Wisdom of James Mickens, PhD and research at MS to share my opinion on that advice.

> Security people are like smarmy teenagers who listen to goth music: they are full of morbid and detailed monologues about the pervasive catastrophes that surround us, but they are much less interested in the practical topic of what people should do before we’re inevitably killed by ravens or a shortage of black mascara. It’s like, websites are amazing BUT DON’T CLICK ON THAT LINK, and your phone can run all of these amazing apps BUT MANY OF YOUR APPS ARE EVIL, and if you order a Russian bride on Craigslist YOU MAY GET A CONFUSED FILIPINO MAN WHO DOES NOT LIKE BEING SHIPPED IN A BOX. It’s not clear what else there is to do with computers besides click on things, run applications, and fill spiritual voids using destitute mail-ordered foreigners. If the security people are correct, then the only provably safe activity is to stare at a horseshoe whose integrity has been verified by a quorum of Rivest, Shamir, and Adleman.

he concludes the paper by saying

> However, as JohnF. Kennedy once said, “SCREW IT WE’RE GOING TO THE MOON.” I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message and a lock of your victim’s hair. If that’s how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe. I shall ride wherever my spirit takes me, and I shall find my Gigantic Martian Insect Party, and I will, uh, probably be rent asunder by huge cryptozoological man- dibles, but I will die like Thomas Jefferson: free, defiant, and without a security label.

With all the leaks and exposures, and backdoors we are finding out about we are now just learning how unsafe everything always has been, the security that we thought we had in OSes and cryptographic wizardry devised by intellectuals who exist on a different plane were not actually protecting us from the harsh elements of reality but were instead a security blanket we hid under hoping the outside wasn't real, but the internet and web is here, and it is terrfying and horrible and an insecure mess, but "I will die like Thomas Jefferson: free, defiant, and without a security label."

Thank you! I was trying to remember his name a few days ago to find his essays and it was driving me crazy - couldn't remember enough keywords to get past the 10000 content marketing articles on search engines.
It's a great paper, and what I wrote isn't in contention with the point Mickens makes. Rather than pretend that QR codes are a problem and dodgy domains aren't, it's better to peek out from the security blanket and understand the threats that exist no matter what.

A QR is a danger just as a typed domain or a clicked link is a threat, so users should beware. That doesn't stop people living their lives, but instead gives them the awareness to check things occasionally when they look off, what to look out for as they go about their web business, and not to blindly trust what they see, or to blindly assume something is a threat because it's a code.

Security people are like smarmy teenagers who listen to goth music

FWIW I'm not a security person; I'm smarmy for entirely different reasons. I do quite like goth music though.

I can recognize sarcastic and flip cynical reason when I read it. Ground work for an ideology of distrust and irrationality.

Meanwhile, don’t click on links you get in spam email and don’t visit QR-codes printed on stickers you find on the bus or subway is common sense and will serve you well.

This is warm-and-fuzzy sounding sophistry. JFK didn't just say, "Screw it we're going to the moon." He put billions of funding and hired smart people to do it. The bad things that will happen to you is typically not an irate man shipped to you in a box. The first rule: don't lose the principal. That is, don't do stupid things that will get you hacked, whether the loss be small or large. I don't understand the necessity of QR code for a URL, they are worse than URL shortener. Is there an actual, valid, use case of QR codes, I can only think of 2FA key generation, and even that could be done pointing your camera at a string of digits? With OCR, you and your phone can see where you're going. Nobody is stopping you from going to fun, unsafe places, don't get robbed doing it, that's all we're saying.

Edited to add: I think what made the QR code take off was restaurants putting them on their menus in the pandemic, so they could do touchless, menu-less ordering. Their ubiquitousness and the harmless environment in which they are encountered (restaurants, food, drinks, friends) acclimate people to using them and formed a habit and a perception when there had been none. It's not a new danger; unsafe URL had always been a danger, now it has a new benign look.

since the web is supposed to be hyperlinked media essentially the way you find urls you trust is by visiting them, if you do not visit a url you will not have urls to visit and thus no urls you trust.
This is a nice example of "yes, but no" statement. Technically true, the root cause is the same.

But the practical level of threat is nowhere near identical. Typing "www.totallynotafraud5bingonigerialetter.com" manually is something regular people won't do. Too much work, too many typos. Natural laziness acts as a sort of immune system that protects you from getting burnt.

In case of dodgy links in e-mails, e-mail providers of today try to protect the users by deleting or at least flagging suspicious messages. This reduces the threat level by quite a lot.

But as of today, there isn't any protection between you and a malicious QR code.

No, the problem is the QR code, not the URL. More specifically, it's the context in which you see the QR code. For instance, one scam is replacing the QR codes on parking meters with another one, linking to a different payment site - https://www.theverge.com/2022/1/12/22879728/phishing-scam-pa...

Even if the QR code wasn't altered, the payment site for a parking meter is going to be some random company you probably haven't heard of. So is the scam site! Both sites will look legitimate (and the proper site is most likely shoddy and half broken anyway!) There's going to be very little that you can use to tell them apart just by going on the URL.

The problem isn't (just) hackers using dodgy URLs to install malware, it's social engineering.

This is just the age-old oblivious user problem. An educated user will always go out of their way to link the identity of the service provider to the app that initiates the payment. It was executables in the noughties and now it is QR codes. Little difference.

Say you get a QR code that sends you to yourparkingspace.co.uk. In the footer it claims 'Member of the British Parking Association'. BPA website lists the url in the QR code, and the BPA website URL is linked from Wikipedia. This took ~ a minute, and you only have to do it the first time you encounter this parking provider. Then there are app reviews on the mobile marketplaces and a dozen other ways to verify the QR code/URL.

Most users are not educated enough to protect themselves from bad actors. It's our (government, industry, whitehats, etc.) moral responsibility to protect those users from those who would exploit them.

Not that I have a solution, but I don't believe blaming the victim is the solution.

Most users are not educated enough

It's not to do with education, that's just another form of victim blaming. The QR code is not the focus of the users' attention, they are trying to do some other task (parking, or whatever) and the QR code is just another irritant getting in their way. If you could magically 'educate' people to distrust everything in their everyday life, nothing would ever get done.

I've not heard of the BPA, how am I to know whether this is a real organisation, or just one that the scammers have made up, with a quick official-looking website? Do you really check wikipedia for every website?

Maybe the real group is the 'British Parking Meter Association', BPMA, and the BPA is a scam, and the wikipedia article is one that the scammers just made up? How can I really tell the difference?

You know, and I know, that practically no-one is going to do in-depth company research when scanning a QR code, or following a link, this security argument is junk.

The above isn't an in-depth verification, but it's something most people can do, and enough to prevent the vast majority of scams.

Of course there is no protection from a dedicated attacker or someone who targets you specifically; I'm not suggesting there is a reasonably convenient protection in that case.

To answer your question regarding whether I really check, I followed a similar process when I was using a digital launderette earlier this week, and when I was renting a flat, I verified the agency's URL through checking out their shop window on Street View, apart from checking out the landlord and land registries. It is a habit that I'd expect everyone to develop.

> For instance, one scam is replacing the QR codes on parking meters with another one, linking to a different payment site

How's that different from printing an URL on the parking meter which can be replaced by an attacker with a different URL?

Nobody, and I mean nobody, punches in URLs by hand. They put keywords into a search box, and sometimes those keywords have .com at the end for some obscure geeky or marketing reason they don't understand or care about.
So an attacker just needs to be better at SEO, or they need to register a domain. The problem still lies with visiting untrusted domains rather than the obfuscation of the URL by a QR code.
I definitely enter urls into my address bar. It would be absurd to assume I’m alone. My meters are ppprk.com (for Passport Parking) so I type in ppprk.com.
I still don't think this shows a problem with QR codes. Let's compare with the case where a malicious entity sends an unauthorized parking toll collector to a city-managed parking lot. As someone parking there, I will pay the fake toll collector some money that the city should have received instead, and I will perhaps pay a little more than the city would have required. If the police later checks parked cars, they may tow/bill my car if there was some security system I missed.

How is this different from someone replacing the legit QR code with a fake one?

First of all, there's a difference with payments infrastructure if I can't make a payment to a dodgy site content in the knowledge that I will l, at the very worst, lose the amount of money I am paying there (hopefully 3D secure will help with this, but not 100%). In practice, a site having my credit card details may well steal far more money from me, and depending on my bank I may or may not be able to contest the charges. Much worse than handing some cash to a fraudulent toll collector.

Second of all, the chance that the my parked car will be seen as invalidly parked by automated systems is greater, since the system is definitely automatic (whereas regular parking may simply rely on access to the parking area to decide if you apyed or not). However, I will likely have proof that I did pay for my part, since I have my bank statement, and I can show a picture of the fake QR code showing I am a victim. The city will have to go after the ones who replaced the QR codes and the dodgy site to recover their money, and I will be no worse for wear (though I may need to get here through a court, depending on how good faith and competent the police was). The same or even better than the fraudulent toll collector case.

So, I would say the biggest problem is neither the QR code nor the URL, the biggest problem is the payments infrastructure. I should actually feel secure sharing my payment details with any site whatsoever, and know that at worst I will not get the service I though I was paying for, just like with cash.

Seems like QR code readers automatically opening URIs is a great way to trigger CSRF attacks in vulnerable sites
This is the same problem as tinyurl et al.

The answer is to have apps that expand/reveal the destination before _opening_ the destination.

Maybe they should sound that alarm when they sit on zero day exploits that later get used to cause serious harm.
It seems American scammers are learning from Chinese ones. Fake payment QR codes are everywhere in China.

Somebody take his QR, changes it to look visually similar to victims one, puts it on a sticker, and slaps it on top of store's QR code the moment the cashier turns his back.

Rental bikes also often come with fake QR codes on them.

I love this idea, you just have to make sure that you still pay the original QR code owner and only add a little "processing fee" for the sticker. Love it.
this is actually funny because now I remember an essay from about the time when QR codes came out that asserted - nobody would ever use QR codes, QR codes were a stupid solution to a problem that only techies thought really existed, techies don't understand peoples real use cases and thus they always produce unneeded solutions, and thus in conclusion and again nobody will ever use QR codes hah hah!
> The bottom line: QR codes can be helpful. But don’t click unless you’ve verified that the source is legitimate — and make sure the site is authentic once you reach your digital destination.

So like always: “think” instead just “do”.

Something I haven't seen mentioned yet is that physical, printed QR codes are more easily tampered than URLs. And they're prompted by the victim; they're interested in a event flier or need access to a digital menu. Together, this makes QR codes easier to phish with than your standard spammy text message or email with a shortened URL.