You must log in or register to comment.
Whoa, I need to recover from reading this. Where to even begin?? Asks for a phone number? Nonetheless, but a WhatsApp phone number? Hmm, a red flag, but it’s nothing compared with the rest of the post. A friend asked me maybe two weeks ago to help him make a QR code for a restaurant menu since I deal with them a lot for work (it’s actually not that difficult, see here). The generator I use is likely the safest in the market, with all bells and whistles, and I always tell anyone who asks - check the generator carefully before making a QR code, especially for business and especially if you plan to print it. Read the reviews. Look for security features. Plus, many advertise free codes, but it turns out - not really (people create, print, and then two weeks later - hello, pay a subscription if you want your code to work again). And I thought this was bad. But what I read now escapes reality. A big thanks to those who posted the archived copy, by the way.
scanning a random qr code has to be this generation’s plugging in an unknown usb drive.
It’s easier to take precautions though. You probably don’t have an insulated USB port or throwaway host device but handling QR codes safely just takes basic tech and skill.
Important advice:
- Don’t use apps that auto-open URLs in QR codes when pointed at!
- Make sure the app shows the full content of the QR code and lets you peruse it indefinitely before you open the link!
- Know the structure of URLs and common pitfalls!
Recommendations:
- Be extra suspicious if there is no URL printed next to the code, or if the printed URL is different.
- Use an open source reader app (most QR codes don’t contain secrets but it’s got permission to use either camera!) that does not resolve Punycode (Unicode in TLDs).
- Strip any tracking parameters you spot before following any URLs.
- Be careful if the QR code could have been easily tampered with (on a sticker over the original one, or on a plain sheet of paper inserted into a plastic wrap together with the rest)
I think today’s generation’s equivalent is free Wi-Fi networks. Kids without mobile data in an area without an established public network will connect to just about any open one unless the SSID includes “LaserJet” or similar.
I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)
That is very decoder-specific. The most common QR reader apps are the Camera app on iPhones and Google Lens for Android so you’ll want to target one of these (though Google Lens might be using cloud processing for that). There probably won’t be any exploits in the image processing part but you obviously can write arbitrary data (including ASCII control characters such as CR, LF, null) into the “data” part of the QR code, as the encoding mode and data length is stored in the first 4+(n*8) bits of where data would be instead of null byte termination. Normally, the data is then right-padded with repeating
0xEC11(or not) and then error correction follows (number of bytes in the error-correction part is defined by the size and ECC mode indicated in another region).
You just don’t open the link
I mean, unless somebody is burning browser zero days on random public QR codes I’m not too worried.
You would at least be able to examine the link first.
The main event here was pretty interesting, but I’d just like to say that
It asked me for my name and Whatsapp mobile number.
Why not just the mobile number. Do they also operate drive-ins that only accept BMWs?
In certain places like India, WhatsApp is the default means of communication for everyone.
You can use it without phone data if you are on wifi, it supports better quality than sms for sending images, you can video chat with it, it’s cross platform, etc etc.What’s more amazing to me is that it’s not more popular in western countries.
Gonna be honest I’d much prefer Signal to take off in this regard. In the US iMessage is the closest widely excepted equivalent, but if I’m gonna do WiFi IM, I want to know it is 100% verifiably private. Otherwise I might as well be using SMS/MMS.
I agree and use Signal myself.
But people like the extra features of WhatsApp like desktop/web clients with seamless history sync and all the other little things that WhatsApp provides.
The average Joe doesn’t even think about security or privacy, they just know that the results of using WhatsApp are superior than using SMS.
iMessage is a non starter everywhere out of the US, it just doesn’t have the market penetration.
As an Australian, no one I know (many of whom own iPhones) talk about the blue-green bubble stuff.
They recognise where the fault lies and simply don’t use the app.I know the average Joe doesnt care about security/privacy but, ugh. Really wish we did. Society (at least in the US, where I am) might be a bit less shit if they did. I’m glad to hear that iMessage is a flash in the pan in other countries though, I dont understand why its such a big deal here, especially when Signal/WhatsApp exists and provides a similar seemless experience across more than one platform, but then again you’d hear me complaining about Meta if I lived anywhere else in the world so, really a lose lose for me :(
I have a friend group that insist on all events being planned through facebook.
I’ve missed out on events in the past due to not taking part.
It’s no longer a hill I wish to die on.
It’s the most common communication tool for friends and family in much of europe
unfortunately… noone seems to stop and think for a second why Meta would maintain an infrastructure/team, spending millions upon millions to provide a service that seemingly has no monetization built-in.
I scanned the API calls to get all the details I needed. I did my thing and I was in.
Page not found :(
Has been taken down. See archived copy
Probably smart to take it down. What he did could be construed as hacking.
Self-censorship working a little too well.
Internet Archive to the rescue: https://web.archive.org/web/20240923091701/https://peabee.substack.com/p/whats-inside-the-qr-code-menu-at
Edit: oops, @ChaoticNeutralCzech@feddit.org beat me to it!
Absolute insanity.
I would have abused this great and terrible power in just the same way he described. Random orders for random tables at random restaurants at random times in small quantities for as long as they aren’t protected. Just enough to be an inconvenience/awkward but not enough to raise alarms.
And now I will check every QR code I scan at a restaurant.
That seems kinda fucked up. Why would you do something like that?
I mean, I at least get fucking with people for money. Doing it for fun, not so much
Also, anyone know what they meant with this line?
I still loved my life so I didn’t want to use the Google custom search API.
