Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malicious QR Codes Posted Where There's Lots of Foot Traffic

Soulskill posted about a year and a half ago | from the neither-idiotproof-nor-jerkproof dept.

Security 89

Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."

cancel ×

89 comments

This could be really dangerous! (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42255175)

If anyone actually used QR Codes, which they don't, so no harm.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255243)

Since I'm in that same boat, isn't there some "navigate to site xyz" confirmation? Or does the phone stupidly start running some executable code? Because that would be a really dumb implementation error.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255353)

There is no confirmation on Windows Phone as far as I can tell.

Re:This could be really dangerous! (1)

Anonymous Coward | about a year and a half ago | (#42255469)

There is no confirmation on Windows Phone as far as I can tell.

At least on WP7 using the Bing Vision functionality (built into WP7.5). When you scan a QR code it lists the data in the QR code. You then have to tap on the displayed link to open the browser. If it is not a link, then it just displays the data.

Re:This could be really dangerous! (4, Informative)

idontgno (624372) | about a year and a half ago | (#42255413)

I can only speak for my specific case (Android, using Barcode Scanner app): the app displays the captured image, metadata about the capture, and a decode of the string (recognizing, for instance, that it's a URI QR). BUT does not just hie off to whatever website is indicated. The displayed URI string is clickable, and clicking it does open the URI in the default browser app, but it does take that much human intervention to navigate there.

A few notable specifics to compare with other situations:

(A) No OS-native QR code capability. It required an app from the Google App Store (free, but not Free). One of several, it appears.

(B) There is a configurable option "Retrieve more info" which, when enabled, looks up information about URI/URL QR codes as part of the decode. For instance, after ingesting the sample QR code [wikipedia.org] from the Wikipedia "QR Code" article, the app correctly decodes the URI as "http://en.m.wikipedia.org", but with the "Retrieve more info" option enabled, it adds the descriptor "Wikipedia, the free encyclopedia"... which is the <Title> property at the top of that page, so I guess the app is retrieving the target URL internally and decoding the <Title> at least. Maybe that would be a buffer overflow vector for a well-crafted exploit, so I turn that option off.

Re:This could be really dangerous! (3, Interesting)

CanadianRealist (1258974) | about a year and a half ago | (#42255777)

The problem here is you are being reasonable and thinking logically about what you're doing. I'm sure you've noticed how much the average person hates having to think. Compare your comment with the average YouTube comment and see if you don't notice a difference.

Now, try behaving like the average person for a bit: point at the QR code and then click whatever link pops up. Come on, you've already done more than enough thinking: putting the app on your phone, loading the app and pressing a button while aiming at the QR code. Now you want to have to think some more, think about where that link is going to take you?

I bet the problem makes much more sense now.

Re:This could be really dangerous! (3, Informative)

Eythian (552130) | about a year and a half ago | (#42255783)

The source code for the Barcode Scanner app can be found here: http://code.google.com/p/zxing/source/browse/trunk [google.com]

It is free as in Free, Apache 2.0 license.

Re:This could be really dangerous! (1)

idontgno (624372) | about a year and a half ago | (#42260535)

Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.

Re:This could be really dangerous! (1)

coolmadsi (823103) | about a year and a half ago | (#42260801)

Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.

I think I got the Barcode Scanner from F-Droid [f-droid.org] (Open Source android app repository); I usually check there before the Play store for utility apps like that.

Re:This could be really dangerous! (1)

amRadioHed (463061) | about a year and a half ago | (#42256499)

Not entirely true anymore. About a week ago Google update Google Search so that Google Now has a visual search that reads barcodes now.

Re:This could be really dangerous! (1)

houghi (78078) | about a year and a half ago | (#42262793)

Sure you can see where it goes, but that does not mean much.
http://s.houghi.org/temp/dbme4p.png [houghi.org]
Scan it and it will point to http://s.houghi.org/dbme4p [houghi.org]
That is a 302 forwarder to http://localhost/ [localhost]
http://s.houghi.org/dbme4p.png [houghi.org] will give all the info

Now imagine that something like this is hanging on highstreet and it is some other (selfmade) forwarder. Even though people are aware that ads are lies, they do somewhat trust that an add for Coca-Cola is placed there by Coca-Cola and the company is responsible for the content.

Re:This could be really dangerous! (1)

Shoten (260439) | about a year and a half ago | (#42255737)

Since I'm in that same boat, isn't there some "navigate to site xyz" confirmation? Or does the phone stupidly start running some executable code? Because that would be a really dumb implementation error.

Even if there were...most people wouldn't pay enough attention to notice that they were about to navigate to "www.MakeMyAndroidYourButtmonkey.cn" while they were on their way through the mall to get a Cinnabon. You can see what web address you're about to go to in an email link if you just hover over it, in most email clients (web or not), yet still many people fall for phishing schemes. And that's when you're sitting down at a computer, not walking around in the middle of other things and surrounded by distractions.

Re:This could be really dangerous! (2)

History's Coming To (1059484) | about a year and a half ago | (#42255829)

There will always be ways around it - imagine a QR which links to a shortened URL (say http://du.rr/7en3if8 [du.rr] ), which is a link to http://www.myhackedblog.com/1/2/3/4/5/a/b/c/redirect.htm [myhackedblog.com] which links to http://www.cnn.com.news.hackeddomain.com/reallyfunnypicture.com [hackeddomain.com]

You think anybody is going to be able to check there isn't a malicious script at the end of that? The vast, vast majority of people won't even be able to check the trail beforehand, they either have to click or not click, and it's A FUNNY PICTURE!

Which is why we need a very clear THIS IS THE END POINT protocol, no shortened URLs, no redirect services. Back in the day a redirect or script call to an external URL was seen as being dodgy, now it's de rigeur because of the advertising industry. Now we're going back full circle.

Re:This could be really dangerous! (2)

TheLink (130905) | about a year and a half ago | (#42256869)

Include/embed a funny picture/video in addition to the malware payload and people will even spread the link for you.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42258203)

Which is why we need a very clear THIS IS THE END POINT protocol, no shortened URLs, no redirect services.

There is no protocol which can reliably detect and/or prevent a web page from giving you a local resource which is in reality just a placeholder for information retrieved from a remote source.

"Back in the day" redirects were seen as dodgy partially because bandwidth was limited, and partially because there were a lot of browser vulnerabilities which you could take advantage of using redirects. The root of the problem is the browser being a piece of shit, it shouldn't matter what kind of site you navigate to there's no excuse for the browser being a security risk. We keep cobbling more features onto the browsers which is what really drives the problem, adding support for non-standard technologies, etc. just makes it worse.

[hackeddomain.com] (1)

alostpacket (1972110) | about a year and a half ago | (#42258527)

I think it's interesting that slashdot got it. Maybe there is no pure security out there, but clearly there are preventative steps that could help.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255831)

If there's really a site that can 'make your android someone's butt monkey' just by viewing it in a web browser, then the problem doesn't lie in how people might arrive at such a site ...

Re:This could be really dangerous! (1)

mikael (484) | about a year and a half ago | (#42255279)

I've found it the quickest way to transfer a web address bookmark off my PC and onto my smartphone, without the ******** hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

Re:This could be really dangerous! (1)

Ardyvee (2447206) | about a year and a half ago | (#42255317)

But then you're probably the one generating it. Or should be :p

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255365)

That still sounds like a hassle. I myself use Chrome to Phone [google.com] . Whenever I see something I want on my smart phone, I click a button on my browser and it appears on my phone.

Re:This could be really dangerous! (1)

BoogeyOfTheMan (1256002) | about a year and a half ago | (#42255649)

Opera Mobile (NOT Opera Mini) also allows you to do this. You can have it sync your bookmarks and saved passwords between devices that you have Opera installed on. Its helpful if you use multiple computers and/or devices. Works with Android, Linux, and Windows. Probably OSX and iOS too, but I dont use those.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255369)

Do you have a Droid?

https://play.google.com/store/apps/details?id=com.sand.airdroid

Set it up so you have a regular password you use and create a bookmark for the URL. Run the app on your phone, go to the bookmark on your computer, type in your password, put in the URL via the interface.

Or, if you use Chrome, use the Chrome to Mobile extension.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255459)

Email it, click email on phone.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255633)

Yeah, or if you're using a Mac and iPhone, iMessage it to yourself. It goes to all you devices, then disappears once you click in on one.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255463)

Or you could use Google Chrome with sync, which instantly makes your bookmark available on all your Chrome instances, no matter where they run.

Re:This could be really dangerous! (2)

chronokitsune3233 (2170390) | about a year and a half ago | (#42256385)

This is my method. Chrome opens up on my mobile, and I open a new tab. Go to "Bookmarks > Desktop Bookmarks" et voilà! Easy peasy! Even better is the ability to open a page that you had been viewing on your phone/tablet in the desktop version of Chrome. I prefer to read with less scrolling and zooming, but that's just a personal preference, I suppose.

Re:This could be really dangerous! (1)

mcgrew (92797) | about a year and a half ago | (#42260897)

hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

Why not use Bluetooth? A bluetooth dongle for your PC costs $20 at WalMart, and if a smart phone didn't have it I wouldn't buy the phone -- hell, I've had dumb phones with Bluetooth.

But since you are using USB, why does it need to be disabled at all? USB is a cord, not a radio signal. If someone can hack your phone with USB they already have it in their posession, and USB being disabled will be no barrier.

Re:This could be really dangerous! (1)

Hognoxious (631665) | about a year and a half ago | (#42263019)

F A C E T I O U S spells facetious. Can you use the word facetious in a sentence?

Although it's equally possible he has a Nokia. What he describes would be a vast improvement over their Ovi suite.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42264677)

can't just email?

Re:This could be really dangerous! (4, Funny)

MrEricSir (398214) | about a year and a half ago | (#42255297)

This is why I'm sticking with my :CueCat.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42255445)

What a Tandy thing to do!

Re:This could be really dangerous! (1)

Anonymous Coward | about a year and a half ago | (#42255327)

I used a QR code exactly once, when I realized it just went to a video ad, I realized they were just compact banner ads.

Still, if that was a malicious QR code, my phone could have been compromised.

Re:This could be really dangerous! (1)

mcgrew (92797) | about a year and a half ago | (#42264201)

Still, if that was a malicious QR code, my phone could have been compromised.

More likely (and more easily) your Windows PC when you transferred the files to it. Smartphones are a fractured market, while Windows PCs are a monoculture. Plus, Windows PCs are a lot less secure than any phone. Considering how locked down phones are, they mey even be safer than Macs and Linux.

Re:This could be really dangerous! (0)

Anonymous Coward | about a year and a half ago | (#42256765)

http://picturesofpeoplescanningqrcodes.tumblr.com/

Site's coming up on a year old now.

I don't use QR codes (3, Funny)

dmomo (256005) | about a year and a half ago | (#42255193)

No way. Rick Astley? Goatse? Not worth the risk.

Re:I don't use QR codes (3)

emurphy42 (631808) | about a year and a half ago | (#42255265)

I love how those two things are like equally heinous in your book. :)

I scan 'em once in a blue moon, but my phone app shows you the URL and asks confirmation, so at least there's that.

Re:I don't use QR codes (0)

Anonymous Coward | about a year and a half ago | (#42256963)

Ditto here. If the QR code embeds a bit.ly or other short URL, then I ignore it at that point. URL redirectors and anathema to using QR codes...

Re:I don't use QR codes (1)

Inda (580031) | about a year and a half ago | (#42259079)

Which phone app man?!?! We need to know! :)

If we're on Android, and the Google tin foil hat is a nice fit, Google Googles does a good job at reading QR Codes. It too displays all the information before you get a chance to click. It's even picked out QR Codes from teh background of portrait photos, and when I first saw that, it was one of those 'neat' moments.

People are talking about encoded URLs on this thread, but I've had a bit of fun encoding large amounts of text in a QR Code, which was then printed inside a birthday card. If the readers were more widely used, I'd have a QR code on one of my seven screens, and it would hold vCard data.

Re:I don't use QR codes (1)

Hognoxious (631665) | about a year and a half ago | (#42263057)

One is anous and the other is heinal.

Wow... (0)

Anonymous Coward | about a year and a half ago | (#42255197)

No. Shit. Sherlock.

whodathunkit? (0)

Anonymous Coward | about a year and a half ago | (#42255219)

I would have never guessed this would happen....

Does anyone use QR codes? (1)

Darkness404 (1287218) | about a year and a half ago | (#42255231)

Does anyone actually use QR codes to go to websites? I've only used a handful of QR codes and those were for store promotions where if you were in their store you could scan a QR code and get a virtual "scratchers" ticket which would tell you if you won a prize or not.

Yes, and my /. id is smaller than yours (0)

Anonymous Coward | about a year and a half ago | (#42255251)

I use them, but I won't anymore. Now I will need to disable them in Google Glasses or something.

Re:Yes, and my /. id is smaller than yours (4, Funny)

SuperKendall (25149) | about a year and a half ago | (#42255299)

Now I will need to disable them in Google Glasses or something.

The Glasses! They do something!

Your pencil's smaller - you don't get it (0)

Anonymous Coward | about a year and a half ago | (#42256347)

The Glasses! They do something! by SuperKendall (25149) on Tuesday December 11, @06:34PM (#42255299)

Brain jammin' viruses by strobes man! You noobs'll see (literally).

Re:Does anyone use QR codes? (1)

medv4380 (1604309) | about a year and a half ago | (#42255311)

Would malware makers even bother with the stickers if people didn't use them?

Re:Does anyone use QR codes? (1)

drkim (1559875) | about a year and a half ago | (#42257943)

Would malware makers even bother with the stickers if people didn't use them?

That's like asking if people are dumb enough to think they will make millions cashing checks for some lawyer in Nigeria.

Ha, ha, ha, ha, ha, ha, ha, ha.

Re:Does anyone use QR codes? (0)

Anonymous Coward | about a year and a half ago | (#42255401)

Does anyone actually use QR codes to go to websites? I've only used a handful of QR codes...

Well you do...

Re:Does anyone use QR codes? (1)

Darkness404 (1287218) | about a year and a half ago | (#42255453)

But the ones I use are promotional ones meaning that the malware wouldn't work, it would just say "scan again" or something.

Re:Does anyone use QR codes? (1)

norpy (1277318) | about a year and a half ago | (#42255653)

You should stop reading slashdot, it's not for you.

How the fuck do you think the qr code redirected you to the "scratcher" ticket?

Re:Does anyone use QR codes? (2)

davebarnes (158106) | about a year and a half ago | (#42255481)

Yes,
They are very useful on real estate For Sale signs.

Re:Does anyone use QR codes? (1)

aaarrrgggh (9205) | about a year and a half ago | (#42256063)

More useful than opening Zillow or RedFin, getting a GPS fix, and immediately having all the MLS data?! Not quite sure how, but to each his own.

Re:Does anyone use QR codes? (1)

plover (150551) | about a year and a half ago | (#42257645)

I'd hazard a guess that it's far more common that average potential buyers scan the QR codes instead of loading up those apps.

Of course, now I have a good idea where to place my QR stickers...

Please to be visiting my web internet site page! (1)

For a Free Internet (1594621) | about a year and a half ago | (#42255263)

Please to be visiting my web internet site page! Stacey made it for me and we are having a fun party there for only the cool people so word, yo.

Re:Please to be visiting my web internet site page (0)

Anonymous Coward | about a year and a half ago | (#42255381)

What the actual fvck?

I don't scan with my feet (1)

aNonnyMouseCowered (2693969) | about a year and a half ago | (#42255295)

I know it's about pedestrian, rather than vehicular, traffic. But for an instant I thought some genius had thought of an exploit for high-tech shoes that had QR code scanners in their soles that linked to their smartphones.

Now that would be a plot for a near future sci-fi novel. A sort of Apple maps-like fiasco that would send hapless pedestrians falling off bridges or onto the freeway.

Norton Snap QR code reader (3, Informative)

doug141 (863552) | about a year and a half ago | (#42255405)

It'll check out the site before connecting you, and is one of the few free code readers that doesn't require location permissions.

Re:Norton Snap QR code reader (0)

Anonymous Coward | about a year and a half ago | (#42255839)

not sure why you'd ever use a qr code reader other than the zebra crossing one. [google.com] open source and handles everything.

Re:Norton Snap QR code reader (0)

Anonymous Coward | about a year and a half ago | (#42257175)

Seconding the "Barcode Reader" app:

https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=en

Screw Norton and their shitty softwares.

Obfuscated URLs (5, Interesting)

agiacalone (815893) | about a year and a half ago | (#42255407)

Any time you obfuscate the underlying address in a URL you pose a security risk.

QR codes are no different than shortened URL services like blt.ly or goo.gl. All of these have the potential to take users to malicious websites because they can't be easily identified to the human reader.

Re:Obfuscated URLs (0)

Anonymous Coward | about a year and a half ago | (#42255527)

If you can reliably identify malicious websites by looking at the URL, you're exceptionally smart. If in turn you would trust a shortened URL or QR code more than a normal-looking address, the inverse is true.

Re:Obfuscated URLs (0)

Anonymous Coward | about a year and a half ago | (#42256579)

If you can reliably identify malicious websites by looking at the URL, you're exceptionally smart. If in turn you would trust a shortened URL or QR code more than a normal-looking address, the inverse is true.

Smart is exceptionally you? Sounds soviet Russian, no offence.

Re:Obfuscated URLs (1)

Dishevel (1105119) | about a year and a half ago | (#42255657)

Each reader I have used show the URL.
If it shows a bit.ly or some other URL shortened crap or even something I do not recognize I skip it.

Re:Obfuscated URLs (0)

Anonymous Coward | about a year and a half ago | (#42256687)

Why do we have a situation where loading a malicious URL can get you pwned in the first place? Choosing to load and display a webpage should not be an act of trust that the server isn't going to hijack your browser.

Re:Obfuscated URLs (1)

sunderland56 (621843) | about a year and a half ago | (#42256923)

Actually, URL shortening services are worse - the malware could be inserted by the shortening service itself. Two points of attack, instead of just one.

It constantly amuses me how many newspapers have articles and editorials saying how evil the Libyan government is - and then they use the bit.ly service to link to other material.

Re:Obfuscated URLs (2)

tlhIngan (30335) | about a year and a half ago | (#42257539)

QR codes can contain more than just a URL.

They can contain a phone number, for example. Like when that Samsung bug was exposed where you dial a specific number and it factory-resets your phone. Scan the QR core, tap "go" and boom, phone's reset and you've lost all your data, games, contacts, etc.

Just do it with something like "call this number to get free minutes" or something...

Re:Obfuscated URLs (0)

Anonymous Coward | about a year and a half ago | (#42260577)

Just wait til this stuff creeps into the Street View image files.
Your car will be looking for information and getting misled, and glancing at the wrong thing will take over your eyeglasses.

Malicious QR codes are nothing (2)

BeerAndLoathing (810465) | about a year and a half ago | (#42255449)

I'm far more afraid of vicious gangs of Keep Left signs

QR Codes? (0)

Anonymous Coward | about a year and a half ago | (#42255505)

I won't click a link without being able to see where it goes. No shortened urls, and definitely no QR codes.

Re:QR Codes? (0)

Anonymous Coward | about a year and a half ago | (#42255859)

Presumably, you don't browse the web, then? Or do you have javascript permanently disabled?

Too bad Slashdot doesn't do Unicode (0)

Anonymous Coward | about a year and a half ago | (#42255629)

Otherwise I'd try to create a QR code in a post, using box-drawing characters [wikipedia.org] , pointing to mal.icio.us.

Haven't We Known This For Centuries? (2)

IonOtter (629215) | about a year and a half ago | (#42255891)

If you insert your reproductive organs into an unverified orifice, or allow unverified reproductive organs or objects into your orifice, you run the risk of catching an infection.

Why should sticking a QR code into your phone be any different?

Re:Haven't We Known This For Centuries? (1)

leehwtsohg (618675) | about a year and a half ago | (#42256031)

Why should sticking a QR code into your phone be any different?

less fun?

Re:Haven't We Known This For Centuries? (0)

Anonymous Coward | about a year and a half ago | (#42257065)

Why do we have browsers that treat a URL as an orifice into which to insert your reproductive organs, rather than an orifice to be examined with a flashlight from a safe distance? Browsers are supposed to display information, not run malware.

Re:Haven't We Known This For Centuries? (1)

drkim (1559875) | about a year and a half ago | (#42257991)

Why do we have browsers that treat a URL as an orifice into which to insert your reproductive organs, rather than an orifice to be examined with a flashlight from a safe distance?

...uh, because browsers are designed by lonely programmers, instead of bomb squad techs.

Re:Haven't We Known This For Centuries? (1)

RivenAleem (1590553) | about a year and a half ago | (#42259021)

I sometimes do 3, even 4 QR codes in a day, what does that make me?

I've always thought QR codes were dumb. (2)

sootman (158191) | about a year and a half ago | (#42255971)

At least in the realm of getting a small bit of info from a printed surface into a modern (i.e., powerful) mobile device. Why not just have some human-readable text in a nice machine-readable font [wikipedia.org] inside a distinctly-shaped box? Mobile devices can easily read lots of kinds of text, but a) this one has high reliability and b) the font itself conveys the purpose. For a shape, the existing QR box -- a square with three smaller squares -- would work, or it could be something new.

This would solve THREE problems: 1) much less chance of malicious URLs, 2) you wouldn't need to scan it with a machine to see if you even want it in the first place, and 3) they'd be much easier to generate.

Re:I've always thought QR codes were dumb. (1)

sunderland56 (621843) | about a year and a half ago | (#42256899)

and 4) if you can't scan the QR code when you see it, you have a reasonable chance of remembering a decent URL; you have zero chance of remembering a QR code.

Re:I've always thought QR codes were dumb. (1)

Anonymous Coward | about a year and a half ago | (#42257265)

Microsoft version of QR codes uses colorful triangles and is effective in the wow-factor. I see used in a local daily newspaper for a lol-cat-type column where they don't want the URL known by us unwashed masses.

Two reasons they are worse than QR codes:
+ Tracking. I am surprised not to have seen anybody mention this, so my guess is that standard QR codes are indeed deterministic and just decode some set graphic to text / url to process according to some type sentinel. The problem here is MS houses a central server and ALL transactions go through them... GPS location + ad impression data must cost a pretty penny.

+ Deceit - disguised as convenience - they can change or invalidate the URL easily without changing the original code just going into the Database. Probably better than having to redirect you from the original page because ad managers do not always have domain control over the target URL... until Microsoft came along and decided to insert itself in the market early.

Re:I've always thought QR codes were dumb. (1)

bitingduck (810730) | about a year and a half ago | (#42258473)

QR codes do just encode straight data, text, or a link, but many of the sites that will generate them for free for you actually generate a link to their own site and forward to your site, so they can be doing the same kind of tracking. The best way to do them is to print the link (or at least the domain) in readable text along with the QR, so that you can at least check that they resolve the same way. There's plenty of free software that will generate good QR codes without the deceit, but most people who want to use them probably can't easily download and run code, and may not even realize that the code they downloaded from a site goes through a redirect.

Suprised (1)

manu0601 (2221348) | about a year and a half ago | (#42256917)

Well, I am surprised it took so long to appear. The attack is easy and the gains are obvious.

Re:Suprised (1)

wvmarle (1070040) | about a year and a half ago | (#42258267)

It's also a lot of work compared to other attack vectors.

After finding the obvious exploit and crafting your site (for whatever attack you plan), sending out lots of spam or placing compromised ads will allow you to reach millions of potential victims in a very short time, with limited effort.

Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

Re:Suprised (1)

bitingduck (810730) | about a year and a half ago | (#42258485)

It's also a lot of work compared to other attack vectors.

...

Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

And you have to pay actual money for those stickers or fliers that you're sticking to things, and maybe even have to pay someone to do it. More traditional all digital vectors probably give you a lot more bang for the buck.

The gift that keeps on giving (1)

maroberts (15852) | about a year and a half ago | (#42257691)

When you put links to Tubgirl and Goetse on top of realtors(estate agents) QR codes

Subversion time. (1)

SuricouRaven (1897204) | about a year and a half ago | (#42257939)

1. Find film posters.
2. Apply QR code pointing to a pirate source for that film.
3. No profit. That's the idea.

I predict... BlipQRs! (1)

drkim (1559875) | about a year and a half ago | (#42258041)

I predict the next QR code attack will be:
Malware QR codes blinked on TV screens, or web pages, just long enough to drive exposed phones and devices to hostile sites.

Sorta like digital subliminals.

I'll risk person has same. (1)

Impy the Impiuos Imp (442658) | about a year and a half ago | (#42260979)

Follow the money. Sooner or later someone has to take money out of the ultimate destination account.

Then, testicleectomy is warranted.

I did it ... (0)

Anonymous Coward | about a year and a half ago | (#42286629)

I did it but instead people are taken to an image of a goatse.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...