Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malicious QR Code Use On the Rise

Soulskill posted more than 2 years ago | from the time-to-incorporate-rorschach-verification-tech dept.

Security 234

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

cancel ×

234 comments

Sorry! There are no comments related to the filter you selected.

Just like with TinyURL... (4, Interesting)

dotancohen (1015143) | more than 2 years ago | (#38540392)

Use a service that will decode it for you. With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes. At least with QR the code can be decoded locally, with software that you trust.

Re:Just like with TinyURL... (5, Insightful)

SQLGuru (980662) | more than 2 years ago | (#38540630)

I've never used a QR code reader that auto-navigated to a link. The ones I use will display the content/data....and if it's a URL, will show the URL as a hyperlink. It's up to me to click it. This includes the QR code reader built on my phone.

I don't think I would want a reader that worked any other way. Especially considering that the QR code can contain more than just a link.

Re:Just like with TinyURL... (5, Informative)

bmo (77928) | more than 2 years ago | (#38540686)

>With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.

That is why God made preview.tinyurl.com

--
BMO

Re:Just like with TinyURL... (5, Funny)

jhoegl (638955) | more than 2 years ago | (#38540782)

I made no such thing mere mortal!

Re:Just like with TinyURL... (5, Interesting)

GIL_Dude (850471) | more than 2 years ago | (#38541022)

For Chrome users, the LinkPeelr extension works well to pre-decode links for you in a little tooltip window. I've been using it for quite some time and it seems to work pretty well. Saves your from many a rickrolling or goase link. Although I guess when people bounce them through several layers of link shortener it doesn't work for that.

Re:Just like with TinyURL... (0)

Anonymous Coward | more than 2 years ago | (#38541288)

Yes, but having to go to another site to decode a link is a further complication that users will rarely do, even if it's 'mandatory'.
Now if you use a QRcode that's encoded with a TinyURL you are obfuscating even more, so you'd have to decode the QR, then the tiny. Yeah, nobody is going to do that except the totally paranoid or anal-retentive.

On the otherhand, if someone made a QRcode Reader that automatically decoded the URL, and the TinyURL if present, to give you the final URL it actually goes to before you 'accept', now that would be cool and useful. You're users might even look at it. Heck, as long as you're going that far, might as well include some whois and blacklists to improve safety, but then some people will start whining about lazy users, big brother software, or maybe just bloatware...
You'll never please everyone, so try to find a workable balance that most people will use.

Re:Just like with TinyURL... (1)

Anonymous Coward | more than 2 years ago | (#38541358)

I believe you meant http://tinyurl.com/preview.php
You are welcome

Re:Just like with TinyURL... (5, Informative)

Fez (468752) | more than 2 years ago | (#38541064)

Which is where LongURL [longurl.org] comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.

Does anyone have a QR code to a Rick Roll? (4, Funny)

Nadaka (224565) | more than 2 years ago | (#38540394)

Does anyone have a QR code to a Rick Roll?

Re:Does anyone have a QR code to a Rick Roll? (1)

broginator (1955750) | more than 2 years ago | (#38540488)

Here you go [imageshack.us]

Re:Does anyone have a QR code to a Rick Roll? (5, Funny)

g0bshiTe (596213) | more than 2 years ago | (#38540534)

I do, but I'm never gonna give it up.

Re:Does anyone have a QR code to a Rick Roll? (1, Funny)

jez9999 (618189) | more than 2 years ago | (#38540634)

I'm never gonna let it down.

Re:Does anyone have a QR code to a Rick Roll? (1, Funny)

Nadaka (224565) | more than 2 years ago | (#38540736)

And hurt you.

Re:Does anyone have a QR code to a Rick Roll? (0)

Anonymous Coward | more than 2 years ago | (#38541312)

CCCCCCOMBO BREAKER!

Re:Does anyone have a QR code to a Rick Roll? (0)

cvtan (752695) | more than 2 years ago | (#38541322)

or dessert you.

Re:Does anyone have a QR code to a Rick Roll? (2, Informative)

Anonymous Coward | more than 2 years ago | (#38540580)

Google has an API to create one on the fly. Use this base URL and append any URL you want to the end and you've got a QR code.

https://chart.googleapis.com/chart?cht=qr&chs=200x200&chl= [googleapis.com]

Just add a youtube link to the video and viola.

Re:Does anyone have a QR code to a Rick Roll? (1)

Anonymous Coward | more than 2 years ago | (#38540680)

http://www.waxrat.com/rr.png

Re:Does anyone have a QR code to a Rick Roll? (2, Funny)

Anonymous Coward | more than 2 years ago | (#38540712)

I just had a great idea for a prank on local billboard advertisements that have QR codes.

Re:Does anyone have a QR code to a Rick Roll? (0)

Anonymous Coward | more than 2 years ago | (#38540730)

Does anyone have a QR code to a Rick Roll?

Like this?: Rick Roll [kaywa.com]

Re:Does anyone have a QR code to a Rick Roll? (2)

smart_ass (322852) | more than 2 years ago | (#38540850)

Google Chrome has an extension to create QR Codes from any link on a page.

With this I set one of my Avatars as a QR code that takes you to "Let me Google that for you" and then searches:

      Curiosity killed the cat

Hehehe

Re:Does anyone have a QR code to a Rick Roll? (1)

AftanGustur (7715) | more than 2 years ago | (#38540896)

Does anyone have a QR code to a Rick Roll?

Here you go, sir!/A? [imgur.com]

Well... (0)

bonch (38532) | more than 2 years ago | (#38540398)

The advise we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?

Tell them not to visit random QR codes? They're dumb and ugly anyway (the QR codes, that is!).

Re:Well... (1)

hedwards (940851) | more than 2 years ago | (#38540756)

They're extremely useful though. Given that QR codes are ultimately text, there really should be a preview of what you're about to execute. Just a simple text preview of the information embedded in the code.

Re:Well... (2)

CapOblivious2010 (1731402) | more than 2 years ago | (#38541076)

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.

Re:Well... (2)

LordLimecat (1103839) | more than 2 years ago | (#38541400)

And given how many exploits are propgated by ads and server hacks of well trusted sites (facebook, drudge, etc, have all been sources of ad-viruses), it gives a false sense of security. Ive had many a user convinced that they could never get a virus because of the sites they visited; they got one, and browser history showed facebook, and I had to explain how virus distribution works to them.

Best way to set your users free from having to think about such things: uninstall Java JRE, uninstall Acrobat reader (and install Foxit), update flash, get them using Chrome. Their browser will autoupdate, and there wont be any plugin 0-days to exploit.

Some scan apps can show URL and ask first (5, Informative)

DaphneDiane (72889) | more than 2 years ago | (#38540402)

The QR scanner app [apple.com] that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.

Re:Some scan apps can show URL and ask first (4, Insightful)

blackraven14250 (902843) | more than 2 years ago | (#38540514)

The one on Android marketplace (also the particular one that many apps are linked into) does show the link by default, but that still doesn't necessarily help the person using the scanner, who may be completely clueless that they're about to head into a random foreign domain.

Exactly (0)

Anonymous Coward | more than 2 years ago | (#38540584)

That seems like the most sensible implementation.

Re:Some scan apps can show URL and ask first (1)

Ethanol-fueled (1125189) | more than 2 years ago | (#38540810)

If they see a link that leads to http://vseafv.yrsfdfcvb.com/gsdfrgrdcgbgxdrbg most of the dumb morans are gonna go to it anyway, out of curiosity.

Re:Some scan apps can show URL and ask first (3, Funny)

Yvan256 (722131) | more than 2 years ago | (#38540880)

Sure, the morans will click the links but what about the morons?

Re:Some scan apps can show URL and ask first (1)

LordLimecat (1103839) | more than 2 years ago | (#38541414)

Potential whoosh detected....

The same way tinyurl does it (1)

smileygladhands (1909508) | more than 2 years ago | (#38540408)

Provide a preview of what is behind it before actually sending off to the url.

Show the link first? (1)

Victor_0x53h (1164907) | more than 2 years ago | (#38540418)

When a QR code is scanned, display the link with an option to follow or cancel? Now we're in the same situation as any other link presented to someone.

Re:Show the link first? (2)

QuasiSteve (2042606) | more than 2 years ago | (#38540478)

Which doesn't help all that much if the URL itself is from some link shortening service (so you still don't know what it is) - and the URL shortened is... to another link shortening service (so the first URL shortening service's preview of the page is just that of the other service).

Of course at that point it's probably wise not to follow the link anyway.

Re:Show the link first? (1)

hedwards (940851) | more than 2 years ago | (#38540778)

True, ultimately the solution to this is going to involve ceasing the abuse of URLs. They were never intended to contain so much session data and such as they do now. The fact that I often times can't read the URL is a pretty clear indication that there are troubles ahead.

My phone shows the destination (1, Informative)

Anonymous Coward | more than 2 years ago | (#38540420)

Google goggles and QR scanner on Android both show the destination.

Just like evil hyperlinks (5, Interesting)

LikwidCirkel (1542097) | more than 2 years ago | (#38540432)

This just in:
Clicking a hyperlink may result in being directed to a malicious site.

Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.

Re:Just like evil hyperlinks (0)

Anonymous Coward | more than 2 years ago | (#38540620)

Maybe so, but for those of us who *do* check urls before we blindly visit them, it would be nice for something similar in QR code readers.

Re:Just like evil hyperlinks (1)

Macthorpe (960048) | more than 2 years ago | (#38540704)

QR Droid (and I think Google Goggles) do show you the URL before you go there, at least on my Sensation.

Re:Just like evil hyperlinks (4, Interesting)

gstrickler (920733) | more than 2 years ago | (#38540674)

We should all sue BT, after all, they claim they invented the hyperlink [slashdot.org] , therefore, they should be liable for the damages of malicious hyperlinks. My theory is based upon the premise that the most effective way to fight abuse of the legal system is to use it against the abusers thereby costing them billions of dollars. Call it an "economic sanction".

Re:Just like evil hyperlinks (1)

guises (2423402) | more than 2 years ago | (#38541386)

Clicking a hyperlink may result in being directed to a malicious site.

Is this still a problem? Unless I was still using Internet Explorer 6 or whatever, I don't see why I'd be afraid of a website. Running an unknown executable, yes. Links that contain personal information in the URL, yes, though those wouldn't be in an email or QR code. But I don't see what there is to worry about here.

Re:Just like evil hyperlinks (1)

crymeph0 (682581) | more than 2 years ago | (#38541406)

Absolutely, this is no different than before - if you see a URL spray-painted on the side of a building, would you type it in without up-to-date antivirus?

Simple enough... (0)

pla (258480) | more than 2 years ago | (#38540436)

Simple - We make the standard expected behavior for any legitimate QR code reading app, that it show the contents of the barcode (and preferably certify it as kosher via Google or some AV vendor) BEFORE automatically sending you off to goatse.

Your app doesn't do that? MALWARE. The address doesn't verify as safe? Enter at your own risk.

Not a very new problem. (3, Informative)

cmv1087 (2426970) | more than 2 years ago | (#38540438)

http://bit.ly/rCBPp7 [bit.ly] You don't know where that link goes until you click it. So, what do you do?

Re:Not a very new problem. (0)

Anonymous Coward | more than 2 years ago | (#38540496)

Most people don't click on URL-shortened names for that reason. It bewilders me why people even use them any more: it vastly reduces your audience, because people aren't (generally) dumb enough to click on unknown URLs.

I didn't click on yours, for example.

Re:Not a very new problem. (0)

Anonymous Coward | more than 2 years ago | (#38540586)

That's why I use http://www.shadyurl.com/ instead.

Re:Not a very new problem. (5, Informative)

Victor_0x53h (1164907) | more than 2 years ago | (#38540506)

Cheat by adding a + to the end (you got 13 people as of now :^)

Re:Not a very new problem. (1)

krinderlin (1212738) | more than 2 years ago | (#38540624)

32 as of now. 95% have mobile referrers...the exact target of QR codes. Doesn't bode well for telling anyone to think about the content.

On the other hand: thanks! Does that work for most shorteners or is bit.ly just cool like that?

Re:Not a very new problem. (1)

Victor_0x53h (1164907) | more than 2 years ago | (#38540832)

I only know of it working for bit.ly. I'm sure others have a similar feature but probably accessed in a different way.

Re:Not a very new problem. (1)

Fuzzums (250400) | more than 2 years ago | (#38540892)

I sort of knew about the + but I forgot. I found http://bit.ly/vB0EIH [bit.ly] with google.
Probably there are identical services for other shorteners.

Re:Not a very new problem. (5, Informative)

Cobol God (157835) | more than 2 years ago | (#38540526)

http://bit.ly/rCBPp7 [bit.ly] You don't know where that link goes until you click it. So, what do you do?

https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/ [mozilla.org]

Shows full URL. Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)

Re:Not a very new problem. (4, Funny)

YrWrstNtmr (564987) | more than 2 years ago | (#38541070)

Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)

We have this woman at work that does that. One day, I happened to be helping her with something. She was googling around, and the second link was www.foo.bar.cn. It was kinda what she was looking for, and before I could say 'No', she clicked it. It was blocked by the proxy.

"Um...you probably don't want to go there."
'Why not?'
"It's some random site in China"
'How do you know?'
"ummm...the CN at the end = China"
'Oh, I never pay attention to that'
"Well, seeing as you're on a DoD computer and network, you might want to start paying attention to that stuff"

or with Greasemonkey (1)

KingAlanI (1270538) | more than 2 years ago | (#38541120)

http://userscripts.org/scripts/show/40582 [userscripts.org]
I use this Greasemonkey script for similar reasons.
It works on shorteners in addition to bit.ly and displays the real URL automatically

Re:Not a very new problem. (1)

eastlight_jim (1070084) | more than 2 years ago | (#38541294)

As per the post above, you can use longurl.org [longurl.org] to see where it goes (in this case, here) without ever clicking on it. I'd not seen the service before but can see how it would be handy in situations like this where you are unsure whether to trust the link.

A fine question... (0)

Anonymous Coward | more than 2 years ago | (#38540440)

This is quite a question. A savvy person could just stick on a malicious QR code on any display in a mall or shopping center. How do you fight this, like the poster says, when you can't see where the link redirects. Perhaps a mandatory coding implimentation for QR scanners that shows you the link and asks the user to confirm that it is where they want to go?

Re:A fine question... (1)

bhlowe (1803290) | more than 2 years ago | (#38540792)

The exploit would need to be for mobile devices... Not many known URL exploits for iPhone.. Your mileage may differ.

Re:A fine question... (1)

lennier1 (264730) | more than 2 years ago | (#38541110)

Some QR codes can store over 4000 alphanumeric characters. Since these codes are used for other stuff as well (e.g., vCards on convention passes) I'm sure there's an exploit somewhere out there which one could use.

Preview after scanning (0)

Dilligent (1616247) | more than 2 years ago | (#38540460)

Well, this would be the single most obvious thing in the world if you ask me. If i was designing an app to scan those codes i woudln't just act on whatever content that the user might encounter but instead present him with whatever it is the QR code is saying.

So instead of scan->immediately open goatse, how hard can it be to go:
scan->Show user that the QR code contains a link to goatse and then they can decide whether to go there or not.

Likewise with all other kinds of content (usually it's just pointers though, like links to market, web sites, etc

Re:Preview after scanning (1)

chronoglass (1353185) | more than 2 years ago | (#38540740)

this only works if the user knows for a fact that say, cocacola isn't running some sort of viral internet ad campaign as goatse.cx.. it could be animated animals with the new coke X for all people know.

perhaps a better method might be to have the scanner software "cloud based"(wooo buzz words!) and server side pull a thumbnail of the site to be displayed.

sure you get goatse'd.. but you don't get ZOMG I GAWTS YER UDID!!!111'd

QR codes don't all have destinations (5, Informative)

icebike (68054) | more than 2 years ago | (#38540462)

You can do a lot with QR codes that have no destination at all, they are not restricted to web links. [qrstuff.com]
They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.

But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
the content visually before acting on it. They ask if you want to proceed.

Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
these are the same people that no amount of malware/antivirus software can protect. They do the same with
links in email links.

Re:QR codes don't all have destinations (1)

eddy (18759) | more than 2 years ago | (#38540672)

You can do a lot with QR codes that have no destination at all, they are not restricted to web links. [qrstuff.com]

Like game levels [youtube.com] .

Re:QR codes don't all have destinations (2)

cras (91254) | more than 2 years ago | (#38540886)

But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect the content visually before acting on it. They ask if you want to proceed.

Of course one could argue the click-thru generation does not know enough to evaluate the content, but then these are the same people that no amount of malware/antivirus software can protect.

Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

Re:QR codes don't all have destinations (1)

icebike (68054) | more than 2 years ago | (#38541016)

Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

It varies by implementation of course, but most offer a choice of actions depending on the type of QR code.
For instance, with the android version I am running right now, a simple Vcard via QR code, offers me a choice of add to address book, call number, sms number, etc.
Additionally there is the normal "Back" button which does nothing.

Re:QR codes don't all have destinations (0)

Anonymous Coward | more than 2 years ago | (#38541060)

Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them...

Well there's the problem: stop doing that. :)

Re:QR codes don't all have destinations (1)

stesch (12896) | more than 2 years ago | (#38541370)

I've searched for some time until I found a QR code scanner for iOS that does show me the URL first. There aren't many of them, I'll tell you. :-( The 6th was the right one, after I asked on Twitter, Reddit, a mobile phone newsgroup, and a Mac newsgroup. Qrafter is the name.

Apps show URL and ask to confirm (0, Redundant)

perpenso (1613749) | more than 2 years ago | (#38540464)

so how do we protect unsuspecting users from QR codes, where you can't see the destination at all

The QR code app that I use on my phone shows the URL and asks me if I want to go there. Isn't this display and prompt common for QR code apps?

If your app does not do so, get a different one. Seems like a non issue, par for slashdot these days.

I never get infected/infested here (-1)

Anonymous Coward | more than 2 years ago | (#38540466)

Nothing gets thru my impenetrable "100,000 megavolt forcefield + neutronium armor & adamantium skeleton" here:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH [bing.com]

It just works... & it's FASTER than std. setups too!

APK

P.S.=> I'm setup secured enough to be able to say that & mean it + running Windows 7 64-bit here... apk

Re:I never get infected/infested here (0)

Anonymous Coward | more than 2 years ago | (#38540766)

Nothing gets thru my impenetrable "100,000 megavolt forcefield + neutronium armor & adamantium skeleton" here:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH [bing.com]

It just works... & it's FASTER than std. setups too!

APK

P.S.=> I'm setup secured enough to be able to say that & mean it + running Windows 7 64-bit here... apk

Amazing! Those folks over at Microsoft sure do get it done! Windows 7 64 bit on a camera phone? Outstanding! APK for President!

I don't trust smartphone security (yet) (0)

Anonymous Coward | more than 2 years ago | (#38541078)

I stick to PC's online & because of security on them vs. smartphones. Smartphones are still too immature in security, & too many breaches occur on them, in terms of security for my tastes.

Not saying that smartphones aren't cool though - They're "getting there", & like most computing systems, better all the time on THAT front... but security? Not there yet.

(They are just a new technology I'll wait on until they get better @ security & not being taken advantage of as much as they have been the past few years now).

* That time'll come eventually though...

APK

P.S.=> There you go... apk

Re:I never get infected/infested here (0)

Anonymous Coward | more than 2 years ago | (#38540776)

Secure Windows. Thanks, I needed a laugh.

Secure Windows = very doable (0)

Anonymous Coward | more than 2 years ago | (#38541202)

You saying that tells me you don't know it's possible & you haven't achieved it yourself - If you had? You wouldn't say that.

* Folks've done what's in the guide I posted, even websites, & it works... really well too! Takes about 1-2 hours of your time, for years of uptime (going strong here since late 2009 in fact on Windows 7 64-bit when it released from the same installation as the day it came out).

(It uses a multiplatform security test/benchmark tool (CIS Tool) you can use on Linux, & other UNIX variants too that makes it almost fun to do (based on "best practices" in security from said OS platforms as an audit tool)).

APK

P.S.=> No Operating System out there's "bulletproof & bugfree", especially as it ships from the oem's (with good enough reasons I think - so "everything is open, but works", especially in network mass installs), but they can be made to be far more secure than default as well as faster (with a little user education in the mix with system "tuning" for speed & security)... apk

Rearranging an existing QR code (1)

Anonymous Coward | more than 2 years ago | (#38540484)

I could just see it now: this gets exploited by some guy with a sharpie, some whiteout and patience...

Look at the URL before you go to it? (0)

Anonymous Coward | more than 2 years ago | (#38540486)

I don't get it.

Both QR readers I've tried (Google Goggles and Microsoft Tag) show you the URL of a QR code and give you the option to go there or not.

Do other readers not do this? Do people just click on these links without thinking about it?

QR code as an attack vector vs ignorance (1)

jehan60188 (2535020) | more than 2 years ago | (#38540490)

don't most people not know how to use QR codes, anyway?

Re:QR code as an attack vector vs ignorance (0)

Anonymous Coward | more than 2 years ago | (#38540834)

First of all, what the hell IS a QR code?

URL Shortening (1)

theArtificial (613980) | more than 2 years ago | (#38540494)

This won't deter people, look at the popularity of URL shortening services for a reference. It's a tool and it has a potential for misuse. People are assholes, story at 11.

Did anybody expect anything different ? (1)

nomad63 (686331) | more than 2 years ago | (#38540512)

I mean, it was just another way to exploit the trust of unsuspecting and most of the time, non-internet-savvy public, armed with the gizmo of the day, called smartphones. What could possibly go wrong ? It is just like giving a loaded gun to the hands of a adolescent child with raging hormones and telling him or her just shoot people who are really-really bad and nobody else. You are just trusting the judgment of totally untrustable person. If you expect a better outcome than this, good luck to you.
The problem I see with these QR codes, most of them direct you to a bit.ly or tinyurl.com link. What is it so hard to put the full URL into it ? when I see that bit.ly link on the scanned QR code, first thing I do is to hit back/exit/escape key and run like hell. But give the phone to my 80+ years old mom ar 10 years old child and see where they hit.
I was wondering when this was going to be a headline, until today that is :)

Shock Value (4, Funny)

DigitalGodBoy (142596) | more than 2 years ago | (#38540570)

A while back, a friend of mine at a university printed up several dozen flyers with a QR code pointing to LemonParty and posted them around campus. Hilarity ensued as he took pictures of people's reactions as they scanned them.

Sandboxing (1)

mark-t (151149) | more than 2 years ago | (#38540590)

How hard is it to sandbox a visit to a URL? Malicious or not, nothing is going to get out if the sandbox is properly designed... and it's not like it's hard to do, it just requires a bit of forethought and planning.

http://en.wikipedia.org/wiki/QR_code (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38540618)

Submitter EliSowash, editor Soulskill; please, when you folks put together summaries in the future...

...link things like QR code [wikipedia.org] ; don't expect us to know all abbreviations out there.

"Summary" means.. (2)

Feyshtey (1523799) | more than 2 years ago | (#38541068)

If the summaries include descriptions of all possible acronyms or phrases included in the discussion, it's not really a summary is it?

http://lmgtfy.com/?q=QR+Code [lmgtfy.com]

what are they good for? (0)

Anonymous Coward | more than 2 years ago | (#38540626)

i see no use for qr codes anyhow, so it makes no difference where they go.

But really (0)

Anonymous Coward | more than 2 years ago | (#38540676)

All QR tags go to goatse anyways.

If QR codes can't be trusted... (1)

john.wingfield (212570) | more than 2 years ago | (#38540692)

how do we protect unsuspecting users from QR codes, where you can't see the destination

... tell people not to scan them.

Slashdot, lagging behind (0)

Anonymous Coward | more than 2 years ago | (#38540750)

Wow, took you guys this long to figure out that QR codes aren't human readable and therefore make a great attack vector for malware developers.

What counts as "malicious site"? (1)

Hentes (2461350) | more than 2 years ago | (#38540764)

"In the simplest of terms, a QR code is a 2D barcode that can store data which can then be read by smart phone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website."

If visiting a "malicious site" can harm your phone, switch to a secure browser. Unless you are locked into Safari, then you are screwed.

You can't see the destination at all? (1)

Fuzzums (250400) | more than 2 years ago | (#38540812)

How... about.... using... an other QR reader that shows the destination first???
Still you don't know if you can trust the link, but at least you know where you're going.

Online decoder or browser plugin (0)

Anonymous Coward | more than 2 years ago | (#38540878)

Why is there no online site which will decode an uploaded QR code? Why is there no browser plugin that you can activate by right-clicking on a QR image to decode it?

Re:Online decoder or browser plugin (1)

nedlohs (1335013) | more than 2 years ago | (#38540990)

There is. And there is.

Easy Solution: (0)

Anonymous Coward | more than 2 years ago | (#38540914)

Display the expanded url in whatever software you use to scan the code. Lots of QR handlers already display the url and give you the choice to visit it or not; just combine that with an expander and you're set.

For the people too lazy to look (like those too lazy to check a links destination), just get them to install internet security on their phone. Just about every AV product has a phone version these days. It'll work as well as well as it does with a computer.

Another one (1)

ceoyoyo (59147) | more than 2 years ago | (#38541010)

Hey, another Slashdot summary ended with a forecast of impending doom disguised as a handwringing question, written by someone who doesn't know what he's talking about.

QR codes are a method for encoding text. If your decoder does stupid stuff (like visit links automatically) with that decoded text then get a different decoder.

Forget QR codes, most links on the web are quadruple encoded! They're sent to you in binary (of all things). When you turn that back into decimal you end up with ASCII code (!) and when you sort that out you're left with HTML! Finally, once you get rid of the HTML you're left with a URL! What are we to do?! How are ordinary users supposed to understand this binary-ASCII-HTML-URL witch's brew?

I know, add a Captcha! (1)

sl4shd0rk (755837) | more than 2 years ago | (#38541058)

Users don't want protection, they want simplicity. As soon as you try to secure something it makes things "hard" and they go back to doing insecure things for the sake of simplicity, or, they just don't use it at all.

The simple login/pass texfield on a webpage is a great example. It used to be easy and simple but now every one of them has some form of a super-secure captcha that is so secure the human eye cannot even discern it. A simple thing has been bastardized to the point it's to frustrating to use.

Maybe QR codes have simply had their day. Let's not "extend" them.

obfuscation bites (1)

Mister Liberty (769145) | more than 2 years ago | (#38541134)

QR obfuscates where there's actually a strong desire to know it all.

Mallarky (1)

qualityassurancedept (2469696) | more than 2 years ago | (#38541150)

I have the ATT code scanner on my phone. When you scan a code a dialogue box pops up and says "Do you want to visit...?" and it gives the actual URL. This article is like saying "malicious URLs can be hidden behind seemingly valid URLs by means of redirects so therefore you should be concerned about clicking on links on the internet."

Where's the OCR? (4, Insightful)

Doc Ruby (173196) | more than 2 years ago | (#38541160)

I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead? Maybe a standard font that's easy for OCR to read, like that MICR [wikipedia.org] font they invented for check numbering in the 1960s. Maybe at first the phone just sends the image up to a server, for 3D->2D reformation and reading. But it would eliminate this problem.

And also the IDN homograph attack [wikipedia.org] that will surely become more widespread with the increase in Unicode in the Web and gradually in URLs. Your phone would be set to decode the URLs as your home character set, that you recognize, for opening as a URL - not the arbitrary URL composed of the similar looking but different valued Unicode characters.

WYSIWYG URLs. An idea whose time has come.

Hey buddy, (1)

Karellen (104380) | more than 2 years ago | (#38541222)

The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it."

Are you sure? Wanna try some Snow Crash?

QR Mischief (0)

Anonymous Coward | more than 2 years ago | (#38541298)

Is it possible to actually produce a malformed QR code that takes advantage of the QR-reading software or its error correction in a phone itself?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?