• LibreMonk@linkage.ds8.zone
      1·
      4 days ago

      Not sure but I think QR codes that hold wi-fi creds would more likely be automatically processed by phones. Seems like an adequate attack surface. Maybe dodgy creds could overflow or do some kind of DB attack. Or even legit creds could lead someone to connect to a malicious hot-spot captive portal that the attacker carries.

    • SturgiesYrFase@lemmy.ml
      1·
      4 months ago

      My phone’s camera app just doesn’t scan qr codes. It’s actually really frustrating. I refuse to install a specific qr scanner, but I’d still like the ability to scan a menu code at restaurants or to get the WiFi connection at a hotel…

    • zurohki@aussie.zoneEnglish
      1·
      4 months ago

      When my phone’s barcode reader app sees a web link, it fetches the page’s title to display next to the actual link. So it is going to that web server and fetching resources by itself. Even though it isn’t actually rendering the page and running javascript, it might be exploitable.

      • Lovable Sidekick@lemmy.worldEnglish
        0·
        4 months ago

        But that’s the barcode app - is it always running, looking for barcodes in all the photos you take? Because there are already shirt with giant barcodes on them - presumably just artistic with no meaning, but who knows?

        • Malfeasant@lemm.ee
          11·
          4 months ago

          I have a shirt with a QR code that goes to a Rick roll. It doesn’t work nearly as well as I’d hoped. Even people trying to scan it have a hard time, forget about anyone scanning it unknowingly. Mr. Astley did in fact let me down.

  • bstix@feddit.dk
    1·
    4 months ago

    The largest QR code can hold up to 3 kb of data, which is more than enough to write a nasty virus in an injectable script if aimed at specific devices/apps. The main hurdle is breaking the app to execute the code instead of treating it as a string. It’s the Drop Bobby Tables joke. Developers hopefully don’t fall for this anymore.

    Anyway. Making a shitty link and leading people there isn’t a new idea. You don’t even need a t-shirt. Hackers already place their own printed QR labels on top of otherwise real codes, and the user might not even notice, because they’ll be redirected to the right site after the dirty deed is done dirt cheap.

  • HikingVet@lemmy.sdf.org
    0·
    4 months ago

    Except if they were halfway intelligent they wouldn’t have it go automatically to the site.

    And when you do this and something goes really wrong criminal charges get laid.

    • HalfAHero@lemmy.world
      1·
      4 months ago

      Can we just get a website that plays a soundbite at full volume screaming about how they person is bad at privacy practices, maybe with Korn in the background for maximum embarrassment?

    • Krafty Kactus@sopuli.xyzEnglish
      0·
      4 months ago

      I’m not sure if you could actually get criminal charges for this unless you were hosting the malware in which case that’s another issue. It would essentially be the same as walking around with a website URL on your shirt. The observer is responsible for typing in the URL or scanning the code and what they decide to do on the website that follows.

      • HikingVet@lemmy.sdf.org
        0·
        4 months ago

        Not if it incites violence, causes harm or any of the other carve outs in the first amendment of the USA.

        I am aware that the post is supposed to be funny, and you are most likely making a joke, but this is the internet and these sort of disclaimers tend to be necessary.

        • LibreMonk@linkage.ds8.zone
          1·
          4 days ago

          A smart attack would be coupled with a clear message. Have the malware clobber them with anti-evil messages and just like that you have a sound free speech defense.