Re: Recognising (or not) QR codes

On 2025-07-03 21:31, Frank Slootweg wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2025-07-03 15:41, Frank Slootweg wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2025-07-02 17:02, Jörg Lorenz wrote:

On 02.07.25 15:24, VanguardLH wrote:

My concern is a QR code can contain a URL.

>
That is their purpose.
>

>
Nope. Their purpose is to contain an string. The string can be anything,
even an URL. :-)
>
For instance, I had somewhere a QR code with the identifier and password
of my wifi.

>
    And I use them to login to my bank accounts, governmental websites,
medical/hospital websites, etc., etc.. No URLs involved, because my
browser is already connected to the websites in question.
>
    So QR codes are multi-purpose, *some* are dangerous, but others
*enhance* security/safety/privacy/<whatever>! :-)

>
And AFAIK, the danger is only when opening an URL without pausing.

    Indeed. VanguardLH sort of implied that there are QR scanning apps (or
QR scanning parts of camera, etc. apps), which directly open the URL
without pausing, but didn't give details, so for the moment that's FUD.

Nono, I have heard/read before comments about dangerous QR even from the police. It is true, they exist. And the only reason I can think of, is applications that open them without pause to review. But the people that say they are dangerous do not explain.
I asked chatgpt, it confirms my suspicions and expands some:
+++··················
Q: Why do some people say that QR codes are dangerous? I can only think of apps opening web sites directly from the QR without pause to check them.
A:
Great question — you're absolutely right that **automatic URL opening** is one of the main reasons people consider QR codes potentially "dangerous." But let’s break it down a bit more, because QR codes themselves are **not inherently dangerous**, but the **way they’re handled** by devices and apps can be.
---
### 🔍 Why QR Codes *Can* Be Dangerous:
1. **They hide what you're scanning.**
    * A QR code is a block of data (usually a URL) that **you can’t visually inspect**, unlike a regular link.
    * A malicious QR code might link to:
      * A **phishing site**
      * A **malware download**
      * A **Wi-Fi access point** with a spoofed name
      * A **malicious app** in an app store
2. **Automatic actions with no prompt.**
    * Some QR reader apps or phone cameras will **automatically open the URL** or **take action without confirmation**, which makes phishing or drive-by downloads easier.
    * If the device is poorly secured, this might lead to exploitation.
3. **QR codes can encode more than URLs.**
    * They can contain:
      * Email addresses or pre-filled SMS messages
      * vCards (contacts)
      * Wi-Fi credentials
      * App store URIs
      * Payment requests
    * If apps auto-process those actions, you could **accidentally connect to a rogue Wi-Fi**, send a message, or add a fake contact.
4. **Social engineering factor.**
    * Fake QR code stickers can be placed over real ones (e.g., restaurant menus, parking meters, or payment terminals).
    * Users trust the context and scan without thinking.
---
### 🔒 How to Stay Safe:
* **Always preview the URL** — most modern phones do show a URL before opening it.
* **Don’t use sketchy QR reader apps** — stick to the built-in camera app or trusted apps.
* **Be wary of QR codes in public spaces** — especially for payments or login.
* **Watch for shortened URLs** — they can obscure the final destination.
* **Disable auto-connect to unknown Wi-Fi networks.**
---
### ✅ Bottom line:
You’re absolutely right — the main risk is when apps **automatically open a URL** or perform an action **without giving you a chance to review** it. That’s the key security concern.
QR codes themselves are just dumb data, but **how apps and humans handle them** can create real-world risks.
··················++-
--
Cheers, Carlos.