Privacy

31363 readers

1094 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

209

What's inside the QR code menu at this cafe? (peabee.substack.com)

submitted 4 days ago by [email protected] to c/[email protected]

44 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 83 points 4 days ago (5 children)

scanning a random qr code has to be this generation's plugging in an unknown usb drive.

[–] [email protected] 50 points 3 days ago (1 children)

I mean, unless somebody is burning browser zero days on random public QR codes I'm not too worried.

[–] [email protected] 6 points 3 days ago

Browser zero days are some of the most valuable exploits in existence, so I highly doubt it would happen in practice

[–] [email protected] 27 points 3 days ago* (last edited 3 days ago) (3 children)

It's easier to take precautions though. You probably don't have an insulated USB port or throwaway host device but handling QR codes safely just takes basic tech and skill.

Important advice:

Don't use apps that auto-open URLs in QR codes when pointed at!
Make sure the app shows the full content of the QR code and lets you peruse it indefinitely before you open the link!
Know the structure of URLs and common pitfalls!

Recommendations:

Be extra suspicious if there is no URL printed next to the code, or if the printed URL is different.
Use an open source reader app that does not resolve Punycode (Unicode in TLDs).
Strip any tracking parameters you spot before following any URLs.
Be careful if the QR code could have been easily tampered with (on a sticker over the original one, or on a plain sheet of paper inserted into a plastic wrap together with the rest)

I think today's generation's equivalent is free Wi-Fi networks. Kids without mobile data in an area without an established public network will connect to just about any open one unless the SSID includes "LaserJet" or similar.

[–] [email protected] 5 points 3 days ago (1 children)

Strip any tracking parameters you spot before following any URLs.

If it's one of these QR codes at a restaurant for ordering, the parameters could possibly be necessary to properly connect your order to your table, depending on how they're set up.

[–] [email protected] 1 points 2 days ago

Then it's not a tracking parameter of course.

[–] [email protected] 2 points 3 days ago (1 children)

I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)

[–] [email protected] 4 points 3 days ago* (last edited 3 days ago)

That is very decoder-specific. The most common QR reader apps are the Camera app on iPhones and Google Lens for Android so you'll want to target one of these (though Google Lens might be using cloud processing for that). There probably won't be any exploits in the image processing part but you obviously can write arbitrary data (including ASCII control characters such as CR, LF, null) into the "data" part of the QR code, as the encoding mode and data length is stored in the first 4+(n*8) bits of where data would be instead of null byte termination. Normally, the data is then right-padded with repeating 0xEC11 (or not) and then error correction follows (number of bytes in the error-correction part is defined by the size and ECC mode indicated in another region).

[–] [email protected] 4 points 3 days ago

WiFi and cellular networks as well. Using cellular data without some kind of tunneling for traffic/dns is nuts IMO.

[–] [email protected] 8 points 3 days ago

You just don't open the link

[–] [email protected] 5 points 3 days ago

You would at least be able to examine the link first.

[–] [email protected] 3 points 3 days ago* (last edited 3 days ago)

That's why this.