Are QR codes bad?

I am just speaking of the very basics I expect from such a program. And it was not only that pic that told me “yes or no decisions are enough for this app”. You may thought in another way, but I couldn’t read out of your posts.

you just answered the question by yourself.
By doing it the manual way you have a far better control what you are doing.

Perhaps the difference in our opinions is that you are focusing on the theoretical point that the handling of a URL (in its full generality) can be anything (subject only to support in the software that is doing the handling) and it doesn’t matter how the URL is represented - while I am focusing on the practical points about how things are actually implemented and/or actually used.

Here’s another fun consideration … any HTTP URL can be subject to redirection. So even if you know where a QR code says to visit, that may not be the whole story as to whether the QR code is safe. The URL may be a well-known link redirection service, or an obscure one, or a purely malicious one. Furthermore, the HTTP RFC appears to allow redirection to even less safe content (like wifi: or sip: or smsto: or anything else).

Any elaboration on your original comment that attacks and hacks exist for QR codes?

I don’t think people attack qr codes, but rather make malicious qr codes to attack qr scanners/readers.

What @wednesday appears to be doing is conflating the two pieces. The actual concern they’ve alluded to is on the reader/scanner being exploited by a code not the code itself being attacked.

As for are qr codes bad? Sometimes… Some are malicious and exploit poorly implemented scanners/readers. Some are not malicious.

Any input could be malicious, that doesn’t mean we get rid of the input method…

Another way in which this is non-trivial ties in with the discussion of the EU vaccination passport (Digital Green Certificate). Sure either your browser or your dedicated QR code handling app can decode the QR code but what then? (I see that you already read my topic on that.) Without a detailed knowledge of the information encoded therein, you can’t possibly make an informed decision.

Technically the same applies to URLs thrown at a browser. For example, in my country, a COVID QR code for check-in purposes will decode to a URL like https://example.com/path?data=opaque where opaque is a long complex string, whose format is not immediately obvious (and is not to my knowledge even documented).

QR codes are badwhen they are not accessible. Not everyone has a device with a builtin camera and the correct software, and a full battery.

When the code points to an online resource, it’s bad already. Who can parse that with their eyes? Just write the link underneath, and let the code be a convenient way to follow it.

It’s worse still when the code is some free form text. I’ve encountered a wall full of huge QR codes at one university – the codes contained excerpts from a book. As a gimmick, it’s cool, but why should I need an electronic device to read a couple paragraphs, when those could be printed directly instead?

In the end, my position is: QR codes are not accessible, so write the contents in plain format next to it, otherwise you smell.

Sounds like the code itself isn’t the problem here but rather you would prefer the code be optional.

I do agree with the general sentiment that, generally, the information should also be available another way.

There are, however, times where it makes sense for the QR code to just be a database identifier for inventory management and it doesn’t need to be human readable because the only context for accessing the information involves a database lookup to get to the human readable content.

Poor usage of QR codes doesn’t make the technology bad, those could have been UPC’s, hieroglyphics, text with no context, or any other poor communication. Poor usage/implementation is a separate issue, in my opinion.

That is an additional front on which to attack QR codes. They exclude people (who can’t afford the hardware or choose not to etc.).

That is a slight social engineering risk i.e. if the human-readable copy underneath does not match what is in the QR code. The human-readable copy is designed to look harmless and trustworthy - while the QR code version directs you to a malicious web site that will cause you to download some content that exploits a known bug in the processing code for the content, for example. (This would be relying on human laziness. The human-readable copy looks harmless but I couldn’t be bothered typing it in so I’ll just scan the QR code.)

This is similar to the problem with having a visible stamp (visible hint) on a PDF document that has been digitally signed. Only the digital version has integrity and the digital version is what you should rely on. Once you have two copies they might not be the same, they might not be telling you the same thing.

This shouldn’t be a problem if the QR code encodes purely free form text. However with a lack of standards, what exactly is free form text? There is a risk that one particular phone operating system/version recognises a URL that others don’t e.g.
fubar:33BDB1D5E89C84027220DAB338F7B21E4DBCB5322BC36A0ED462EF5A9C46052D
might compromise one phone but get only a shrug of the shoulders from most.

This is similar to problems that have arisen in the past with MIME types and content handlers. Someone somewhere a long time ago put in some latent, possibly unfinished, support for a MIME type (for debugging? troubleshooting? internal use only?) and then everyone promptly forgot about it … until some hacker (blackhat or whitehat) rediscovers it.

But then a blind person might find the QR code more accessible than any free form text.

The phone can automatically locate the QR code in the viewfinder (so accurate pointing is not required) and the phone can validate a good scan (via the Reed-Solomon ECC) - and then proceed to read the text to the user.

Adding: And the blind person gets something that the sighted person does not. The QR code content can be digitally signed so that the text is provably authentic.

You’d think so, but if a QR code is just an overgrown bar code, then most bar codes also have a human-readable form (numbers) underneath.

I’m sure there are use cases where human accessibility isn’t needed at all, but those are going to be rare.

A URL in any form excludes people i.e. those who don’t have access to the internet (yes, they do exist ).

Sure, the database ID is there, and it has no value without the database and doesn’t prevent the wrong information from being placed with the code. I’ve seen wrong prices/descriptions with barcodes before that doesn’t mean barcodes are bad…
And in that specific context the reason for the database ID to be included is that there is an alternate input method available if the scanner has failed.

It may be that some use cases would prefer to fail closed, ie if the scanner fails use a different device don’t allow manual entry.

My point was merely that qrcodes like barcodes can be more convenient and having it as an option isn’t a bad thing; and that there may even be exceptions where having it as the only option could be beneficial. I’m not saying those situations are common, they’re exceptions.

And? Some people will sometimes not have access to some things. No technology is inclusive of everyone.

Well, that’s the entire point of accessibility. There’s a lot that “and” can expand into.

Sure, but then we’ve branched away from the topic. As no technology can include everyone I fail to see how excluding as small of a percentage of people as is feasible makes this bad without devolving into all technology is bad because it isn’t inclusive of everyone.

The badness of a technology would depend on how many people are affected and how badly (excluding some people always or excluding a lot of people randomly?), so I think we’re still on topic.

We’re just exploring all the ways that QR codes are good and all the ways that QR codes are bad.

There is no judgement as to how a person might weight those considerations. As @dcz says, if you did come to weight those considerations, while avoiding considering self-interest only, then you would want to understand the percentages who would be excluded - and before you could even do that you would have had to explore what percentages you are going to have to measure.

One consideration could be that there is a legislated right, or a right derived via some other means, such that excluding anyone is a legal problem. In other words, there would be a legal obligation to provide an alternative mechanism.

Example: Imagine a medium term future where all voting is done electronically using an app that is only available for iOS and Android (and let’s say, for relevance to the topic, scanning a QR code is part of the process). Would that be legally acceptable? Depends on the country of course but in most if not all democracies, probably not.

Definitely digressing now but there are some barcodes where the human-readable version is a representation that is only an approximation, and hence it is not possible to enter the human-readable version and get the same behaviour as scanning the barcode.

If QR codes are like apps, then there is no reason to assume that QR codes and scanner apps are wholly trusted without skepticism.

I say that QR codes and scanner apps might need GNU/Linux standardization in order to mitigate as such cyberattacks as possible. We all know that QR requires access to data and camera. We need to figure out how to prevent unauthorized access to data and camera. Let’s not forget about face camera!

Like any malware, things are waiting to happen. Just check out this article.

That’s a app server containing malware ready for unsuspecting downloads. QR codes and scanner apps are no exception.

I experienced this exact issue when I went to a restaurant with the Alcatel Go Flip 3 (KaiOS). In this particular example, a QR code is provided on the centre of the table that probably links to an online menu, so instead I had to ask a server to bring a physical menu instead because my phone plan has no data and the phone itself does not scan QR codes.

Sort of like how Android and iPhones work. ‘Get with the times or get lost in the dust’, is their approach.
IMO - humans are the most sought after commodities on the 'net. And, being lazy, we all use the path of least resistance.

A side note:
During COVID when restaurants were allowed open under special rules, the Host would ask for one’s cell number so they could contact us if COVID were found to be at the restaurant. I told her I didn’t have a cell. She said, “You don’t have a smartphone?”
I replied w/ “Nope, not even a clever phone.” she said “How do you stay connected!!!” and without waiting for a answer, said “Follow me” did an about face, and marched us to our table. Weird!

I hoped to find in this Topic a means or way of testing for bad QRCs.

(duckduckgo.com) “Over 96% of popular free Android apps we tested allow other companies to invade your privacy, like…”

That was to be my next point, that of questionable “apps”.
I won’t use my phone, if/when I can, to scan QRCs, or download any app until I know everything about it.

Unfortunately, there are too many Apathacans w/ cells, digital phones or best described as a leash. Apathacans would rather give up their rights than turn to safer devices due to cost, it’s a binary rabbit hole and intense learning curve.

Google is in charge of the Internet as we once knew it and if QRCs make it easier to stalk people, Google’s path of least resistance is to abuse QRCs. Apps are proof of that. Why wouldn’t they? Look at what they did with Google Fonts, Tags, and CDNs.

One of the anti-malware bosses lists many ways QRCs are abused and how to protect one’s self from nefarious QRCs and how to safely generate your own. Check out [Malwarebytes QRC page.] (QR codes explained: How they work and how to use them securely)

A dog is often tied to a leash. Who owns the leash? The dog or dog owner?
Who owns one’s cell phone? Apple or Google?

Just my ramblings - nothing more,
~s

In my opinion, there is no guaranteed way to test a QR code for badness, so the only reasonable expectation is that the software presents a decode of the QR code before actioning it and the information is presented in a way that is meaningful to the user i.e. so that consent is informed.

Firefox has functionality to verify domains against a list of known “poor reputation” domains - which a user of course must be able to disable and/or override - and perhaps that would be a starting point with QR codes if you want more than the previous paragraph.

However because QR codes cover much broader functionality than just leading you to a web site, it needs more than checking the reputation of the domain. (QR codes cover anything from sending an email or text message to associating with a new Wireless Access Point or storing a new Contact, and lots more besides.)

Even within the limited scope of web sites, QR codes are subject to at least three of the attacks that apply more generally to web usage:

• truncated domain names (i.e. deliberately long domain names where the most significant labels are badness but only the least significant labels get displayed on the screen)
• IDN homograph attack (i.e. where the full domain name looks completely legitimate but in fact one of the characters of the legitimate domain name has been replaced by a similar- or identical-looking character)
• link shortening services (i.e. the reputation of the service may itself be fine but the only way to know where the QR code will lead is by accessing the link shortening service - itself a potential privacy and security problem - and, if that is done, then the actual destination given by the link shortening service must then be iteratively subject to the same checking)

If you are really keen to test a QR code for badness then do as I (sometimes) do … don’t scan the QR code, photograph it. Then decode the JPEG image of the QR code yourself with the zbarimg command (package zbar-tools).

If you are super-keen (bonus points) then you can use wget to follow a link shortening service in a way that may be safer than using a browser.