Just a thought

Apparently Chrome will now make a QR code of a page. I assume, but don’t know, that this means that taking a pic of the code then takes you to the page?

At which point, a QR code of goatse. To then plaster over the displayed QR codes of folks you don’t like.


OK, maybe not then. But that’s the sort of mischief which can’t possibly be original. So, where are those reports of folk littering fake QR codes around?

12 thoughts on “Just a thought”

  1. Sounds like just as much fun as taking a Sharpie to all the existing QR codes that you see splattered around shops and other places. 🙂

  2. QR? Something I refuse to use. Just looks so obviously hackable. Make a QR of a fake web page. Print out self adhesive copies. Slap them over genuine ones & away you go. Browsers on phones are too opaque to easily see if you’ve been taken to a scam site & most phone users don’t seem to realise there are such a things as browsers & weblinks anyway. Is it possible to inject other crap into a device through a QR reader app? The install asks your permission to access every bloody function on it.

  3. @BiS: If I scan a QR code on my phone it shows me the URL and asks if I want to go there. There’s less risk involved than clicking on a mislabelled link in a web page.

    Tim: there are both command line utilities and web sites that will create QR codes for you. You can put any text you like in them, it doesn’t have to be a URL.

  4. Not just text. Basically any data – the UK and EU vaccine passports are a case in point. It’s all coded up in ways to minimise the size of the QR relative to the amount of information carried.

    Sharpie marks on codes may not screw up the decoding depending on how much error protection is applied.

  5. Bloke in North Korea (Germany Province)

    Of course one option is something like microsoft’s enforced safelink thing in outlook.

    Microsoft will generously check each and every link emailed to you that you ever click on, by uploading it to its servers first, out of the pure kindness of its heart. For your safety and security.

  6. Just how many potential QR codes are possible? I frequently wonder the same thing about bar codes. Unless there’s a central overseeing organisation, what is to stop the same code being used for different products? In a similar vein, why do so many orders & invoices have absurdly long numerical or alpha numerical references? I’ve seen some that run into trillions of possible combinations, and they are often from small suppliers who haven’t been trading for more than a couple of years…

  7. Vandals in Sheffield allegedly plastered anti-vax QR codes over the official vaccination ones. In practice I suspect the hit rate is just too low to be worthwhile.

  8. You don’t need a central authority for bar codes (or similar codes such as ISBNs or telephone numbers, or URLs). You just need a system to delegate subsets of the entire range and you use that subset. For instance, I have ISBN range 978-XXXXXXX-00 to -99. As long as I only use numbers in that range they will never clash. It’s the same with product barcodes. Unilever have EAN 5000208-XXXXXX or whatever, it’s irrelevant what numbers they use they will never clash with somebody else using a different range.

    It’s like saying “oh, but there must be a central authority for phone numbers”. No, any Sheffield telephone number is never going to clash with a Manchester telephone number, there is no need to coordinate allocating numbers in Sheffield and numbers in Manchester through a central authority because by definition there is no connection between numbers in Sheffield and numbers in Manchester. Whatever number assigned in 0114-XXXXXXX is never going to clash with a number in 0161-XXXXXXX, and there is no need for any coordination between assigning numbers in 0114-XXXXXXX and numbers in 0161-XXXXXXX.

  9. A QR code can hold up to 3K of data. Many routers barf with URLs longer than 1023 characters, so there’s plenty of space.

  10. Yes, QR codes. like bar codes ( which they essentially are..) can be spoofed/manipulated for nefarious purposes.
    Which is also done “in the wild”. Usually quite “innocent” ( like the Goatse example our Host mentioned ) but increasingly, but there’s a marked increase in the malicious spoofs. Of course Googol adapting and embracing QR for the masses has nothing to do with that… [/sarc].

    Which is why, as some peeps in the comments pointed out, smart people use a checking service or manually check the url before proceeding.

    Most people aren’t smart though, but then again those people are intimately familiar with the (re-)flash/unlock/etc. services your average corner phoneshop entrepeneur has available anyway, so it wouldn’t make much difference.
    And because mobile phone + security is a laugh to begin with on most models/browsers/apps you simply don’t hear about it. So many malicious pop-up/sideloading “ads” and “apps” that any malicious use of QR codes simply disappears in the background noise.

Leave a Reply

Your email address will not be published. Required fields are marked *