Are QR codes bad?

Well, that’s the entire point of accessibility. There’s a lot that “and” can expand into.

Sure, but then we’ve branched away from the topic. As no technology can include everyone I fail to see how excluding as small of a percentage of people as is feasible makes this bad without devolving into all technology is bad because it isn’t inclusive of everyone.

The badness of a technology would depend on how many people are affected and how badly (excluding some people always or excluding a lot of people randomly?), so I think we’re still on topic.


We’re just exploring all the ways that QR codes are good and all the ways that QR codes are bad.

There is no judgement as to how a person might weight those considerations. As @dcz says, if you did come to weight those considerations, while avoiding considering self-interest only, then you would want to understand the percentages who would be excluded - and before you could even do that you would have had to explore what percentages you are going to have to measure.

One consideration could be that there is a legislated right, or a right derived via some other means, such that excluding anyone is a legal problem. In other words, there would be a legal obligation to provide an alternative mechanism.

Example: Imagine a medium term future where all voting is done electronically using an app that is only available for iOS and Android (and let’s say, for relevance to the topic, scanning a QR code is part of the process). Would that be legally acceptable? Depends on the country of course but in most if not all democracies, probably not.

Definitely digressing now but there are some barcodes where the human-readable version is a representation that is only an approximation, and hence it is not possible to enter the human-readable version and get the same behaviour as scanning the barcode.

If QR codes are like apps, then there is no reason to assume that QR codes and scanner apps are wholly trusted without skepticism.

I say that QR codes and scanner apps might need GNU/Linux standardization in order to mitigate as such cyberattacks as possible. We all know that QR requires access to data and camera. We need to figure out how to prevent unauthorized access to data and camera. Let’s not forget about face camera!

Like any malware, things are waiting to happen. Just check out this article.

That’s a app server containing malware ready for unsuspecting downloads. QR codes and scanner apps are no exception.

1 Like

I experienced this exact issue when I went to a restaurant with the Alcatel Go Flip 3 (KaiOS). In this particular example, a QR code is provided on the centre of the table that probably links to an online menu, so instead I had to ask a server to bring a physical menu instead because my phone plan has no data and the phone itself does not scan QR codes.

1 Like

Sort of like how Android and iPhones work. ‘Get with the times or get lost in the dust’, is their approach.
IMO - humans are the most sought after commodities on the 'net. And, being lazy, we all use the path of least resistance.

A side note:
During COVID when restaurants were allowed open under special rules, the Host would ask for one’s cell number so they could contact us if COVID were found to be at the restaurant. I told her I didn’t have a cell. She said, “You don’t have a smartphone?”
I replied w/ “Nope, not even a clever phone.” she said “How do you stay connected!!!” and without waiting for a answer, said “Follow me” did an about face, and marched us to our table. Weird!

I hoped to find in this Topic a means or way of testing for bad QRCs.

( “Over 96% of popular free Android apps we tested allow other companies to invade your privacy, like…

That was to be my next point, that of questionable “apps”.
I won’t use my phone, if/when I can, to scan QRCs, or download any app until I know everything about it.

Unfortunately, there are too many Apathacans w/ cells, digital phones or best described as a leash. Apathacans would rather give up their rights than turn to safer devices due to cost, it’s a binary rabbit hole and intense learning curve.

Google is in charge of the Internet as we once knew it and if QRCs make it easier to stalk people, Google’s path of least resistance is to abuse QRCs. Apps are proof of that. Why wouldn’t they? Look at what they did with Google Fonts, Tags, and CDNs.

One of the anti-malware bosses lists many ways QRCs are abused and how to protect one’s self from nefarious QRCs and how to safely generate your own. Check out [Malwarebytes QRC page.] (QR codes explained: How they work and how to use them securely)

A dog is often tied to a leash. Who owns the leash? The dog or dog owner?
Who owns one’s cell phone? Apple or Google?

Just my ramblings - nothing more,


In my opinion, there is no guaranteed way to test a QR code for badness, so the only reasonable expectation is that the software presents a decode of the QR code before actioning it and the information is presented in a way that is meaningful to the user i.e. so that consent is informed.

Firefox has functionality to verify domains against a list of known “poor reputation” domains - which a user of course must be able to disable and/or override - and perhaps that would be a starting point with QR codes if you want more than the previous paragraph.

However because QR codes cover much broader functionality than just leading you to a web site, it needs more than checking the reputation of the domain. (QR codes cover anything from sending an email or text message to associating with a new Wireless Access Point or storing a new Contact, and lots more besides.)

Even within the limited scope of web sites, QR codes are subject to at least three of the attacks that apply more generally to web usage:

  • truncated domain names (i.e. deliberately long domain names where the most significant labels are badness but only the least significant labels get displayed on the screen)
  • IDN homograph attack (i.e. where the full domain name looks completely legitimate but in fact one of the characters of the legitimate domain name has been replaced by a similar- or identical-looking character)
  • link shortening services (i.e. the reputation of the service may itself be fine but the only way to know where the QR code will lead is by accessing the link shortening service - itself a potential privacy and security problem - and, if that is done, then the actual destination given by the link shortening service must then be iteratively subject to the same checking)

If you are really keen to test a QR code for badness then do as I (sometimes) do … don’t scan the QR code, photograph it. Then decode the JPEG image of the QR code yourself with the zbarimg command (package zbar-tools).

If you are super-keen (bonus points) then you can use wget to follow a link shortening service in a way that may be safer than using a browser.