Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Medicine The Internet

Anti-Vaxxer Hijacks QR Codes At COVID-19 Check-In Sites (threatpost.com) 117

schwit1 shares a report from Threatpost: Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police. He now faces two counts of "obstructing operations carried out relative to COVID-19 under the Emergency Management Act," the South Australia Police said in a statement announcing the arrest. His arrest may just be a drop in the bucket: Reports of other anti-vax campaigners doing the same thing abound. Law enforcement added an additional warning to would-be QR code scammers: "Any person found to be tampering or obstructing with business QR codes will likely face arrest and court penalty of up to $10,000." The police said no personal data was breached, but the incident highlights that truly all an attacker needs is a printer and a pack of Avery labels to do real damage.

In this case, the QR codes were being used by the South Australian government's official CovidSafe app to access a device's camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak, ABC News Australia reported. That's a lot of personal data linked to a single QR code just waiting to be stolen. "In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community," Bill Harrod, vice president of public sector at Ivanti, told Threatpost. "While this is concerning, the outcome could have been far more perilous."

This discussion has been archived. No new comments can be posted.

Anti-Vaxxer Hijacks QR Codes At COVID-19 Check-In Sites

Comments Filter:
  • I would suggest (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Thursday April 29, 2021 @07:55PM (#61330088)

    also suing whichever lazy-ass app developer decided simply opening whatever URL gets scanned without doing some checking first is okay in a custom app. I would expect the app to at least check that the QR code has some kind of signature in it, or - better - it's encrypted with a key that only the app has.

    • Re:I would suggest (Score:4, Insightful)

      by Bodie1 ( 1347679 ) on Thursday April 29, 2021 @07:58PM (#61330094)

      Some ask why I never scan QR codes...
      Others are smart.

      • Re:I would suggest (Score:5, Insightful)

        by BeaverCleaver ( 673164 ) on Thursday April 29, 2021 @08:09PM (#61330136)

        QR codes are like any other form of URL obfuscation and should be avoided for the same reasons.

        • by beepsky ( 6008348 ) on Thursday April 29, 2021 @08:17PM (#61330164)
          I don't know what phone OS you're using but my Samsung Fold 2 lets me read QR code URLs before committing to opening them
          • by pD-brane ( 302604 ) on Friday April 30, 2021 @01:17AM (#61330914) Homepage

            Why is this rated funny instead of informative or insightful? Scanning, human-checking the URL, then opening seems reasonably smart.

            Only risk I see is the URL containing non-ASCII characters that look like ASCII characters, but the scanner app could warn simply when non-ASCII characters are used.

          • Most QR code point to the URL shortening site of whatever online QR generator they tended to use. Even so, you can register domains âoeclose enoughâ that pass a cursory inspection by a non-geek.

            True drive-by, I would simply redirect you to the correct site after installing a rogue contact tracing app.

            QR code are a bad idea.

        • by The Evil Atheist ( 2484676 ) on Thursday April 29, 2021 @10:11PM (#61330464)
          The practice of putting QR codes everywhere, you may as well put barcodes everywhere.

          Where do you draw the line?
        • QR codes are like any other form of URL obfuscation and should be avoided for the same reasons.

          QR codes are helpful when you have a trusted app to read them that does validation. South Australia hired the B team and got a B grade product.

      • Well, we have a Covid QR code to scan in our building if you arrive after hours. The assumption being made is that one of our employees created that sign and put it up. And also an assumption that it's the same QR code that was there last week when I showed up. So naturally, I might think that it's safe and that no one snuck in and put a sticker over the code with their own version.

        So a QR code in the wild, just ignore it. One you are interested in, look at the URL first before you continue. One you've

      • Just use a separate app where you can inspect and decide first.

    • Uhh, what app, my Android built-in camera app? How in the hell would it know? It sees a QR code, and hovers it, I click on it. Simple as that,
      • If you had bothered to read the first words of TFA, you would have spotted this:

        (QR) codes used by a COVID-19 contact-tracing program

        So it's not a generic browser or a generic QR code scanner opening the URL, it's a dedicted COVID19 contact tracing app.

        • There are three possibilities here. Either a) their Covid tracking app is so horribly bad that it just blindly follows links provided in QR format and that's all the QR code is is a URL, b) it uses some other scheme but someone hacked it to redirect or c) the guy just slapped a URL QR code on top and people who scanned it outside the app were directed there.

          My money is on c, but I guess the other two are possible if they're really, really bad at writing apps so point taken.

          • My money is on a and b, you can tell QR code to just about anything, app stores are accessible by using a fancy URL in the QR code.

            So you could point your targets to a fake contact tracing app with malware. Really smart cookies could even put the entire malware into the QR code itself, it is technically possible to put an entirely base64 coded app into a QR code.

        • If the South Australian QR-driven tracing system is anything like the Queensland version then it may be either the generic QR scanner in many camera apps or the specific application reading the code. The app is only a thin wrapper over a web site. In the Queensland case, if the generic Samsung camera detects a "Check in Qld" QR it offers to open it with either a generic browser or the specific app (and I can make the selection sticky). A legitimate QR will lead a browser to a web page you can register thr
        • You might like to consider that the word "program" has a more general meaning than a computer program. If you got past the "first words of TFA" you may have seen:

          Scan the QR Code with the mySA.gov app or your phone camera

          These QR codes are routinely scanned by the native camera apps because that is the most convenient way for people to use them (ie requires less interaction).

        • So it's not a generic browser or a generic QR code scanner opening the URL, it's a dedicted COVID19 contact tracing app.

          Except the process of hijacking it was exceptionally simple. Just place a different QR code over the top of the legit one.

          To me, what is impressive is that somewhere in the largely brain dead desert of anti-vaxxer land, someone figured out a very simple way to mess with people. As Hacks go, this is fascinating. It allows plain old folks who might not ever use a computer to be a distribution system for various malevolent purposes. I knew the things weren't safe when I first saw them, but here is a use cas

    • Re:I would suggest (Score:5, Informative)

      by The Dark ( 159909 ) on Thursday April 29, 2021 @09:43PM (#61330402)

      Not so much a lazy-ass app developer as a lazy-ass (or click-baity) reporter. The South Australia government app (mySA GOV) to scan these QR codes ignores unofficial codes and gives you a warning: "Only QR codes from official COVID-safe plans can be scanned". The CovidSafe app they mentioned in the summary is the federal government one and that doesn't have any QR capability, it only does contact tracing.

      However, this would catch people who aren't using the offical app and are just using their phone's QR scanner.

      • Agreed! I'm also in SA, and using the official MySA Gov app to scan the QR codes. However, not everyone does, and you can just use your camera app (or whatever) to scan the codes and they'll take you to the website to sign in. So whoever put these fake codes out were relying on those people rather than people actually using the official app.
      • by ebvwfbw ( 864834 )

        Someone could put up the classics - Goatse, GNAA, etc.

    • You have been around 21+ years if not longer in the game.
      You can not expect the normal under 30 coder to expect it as an attack vector.
      the only way you can expect that someone will care about the attack vector is
      if they have been on Slashdot for a long enough time ( and you have been on
      since 1999-2000 not exactly sure ) or specifically trained to understand basic security

    • For the most part it's likely the OS that is handling the QR code and launching an app (or website), likely after some user confirmation.

      People probably won't be launching an app to scan (though an app could support that), for most people it will be more convenient to scan the QR code with their phones default camera to launch an app.
      • For the most part it's likely the OS that is handling the QR code and launching an app (or website), likely after some user confirmation. People probably won't be launching an app to scan (though an app could support that), for most people it will be more convenient to scan the QR code with their phones default camera to launch an app.

        Well rather than you guess, I can tell you how it is, since I'm Australian :)
        Most Australian States now have their own app for accessing State services (licensing, car registration, pay fines etc)
        When Covid hit, most of these apps simply added a 'check-in' function for contact tracing. So people who already have the app and know how to use it, simply scan the QR code with the App.
        My local State's app validates any QR code so this wouldn't be an issue, and I just checked that SA does too. So the only iss

        • Yeah, Chuck Chunder clearly isn't the username of an Australian....

          I am in NSW and I don't think I have ever seen anyone manually launch the govt app to scan a code because it's far more convenient (ie less manual interaction) to just use the native camera and let the phone do the launching.

          Additionally, in NSW at least, we were using QR Codes that launched websites for recording visits to venues well before the state governments got their centralised systems up and running, so peoples workflows for sc
          • I am in NSW and I don't think I have ever seen anyone manually launch the govt app to...

            Well if you haven't seen it doesn't happen...

            Additionally, in NSW at least, we were...

            You clearly speak for all 8 million residents of the state...

            and for the most part will have remained unchanged.

            Because you say so...

            • What a bizarre response.

              You clearly speak for all 8 million residents of the state...

              after

              I can tell you how it is, since I'm Australian

              ?

              Have a good hard look at yourself mate, you are embarrassing yourself.

    • I have a better solution... sue the hell out of everyone publishing web pages with blatant medical misinformation and lies.

      Lying to someone on important medical issues needs to be a crime because their life might depend on the accuracy of that information.

      This is course opens a whole new can of worms, starting with pretend cures and snake oil "medicines" like omeophaty, all things that are, for unknowns reasons, tolerated in today's society and shouldn't... things that actually kill people far more than any

      • by DrSkwid ( 118965 )

        > sue the hell out of everyone publishing web pages with blatant medical misinformation and lies.

        what about subtle misinformation and lies ?

        Should we sue the people who said lockdowns work or the people who say lockdowns don't work ?

        Should we sue the people who say that children wearing masks to school causes more harm than good or those who say all children must wear masks at all times ?

  • With absolutely no possibility of introducing more problems on top of your current problems.

    • This app has been quite effective to help contact tracing.
      Every venue: store, restraint, church, sports stadium etc has a qr code that you scan as you enter.
      This submits your name, phone number the time and the venue to the health department where it is kept for 30 days and only used for contact tracing.

      In South Australia we currently have 6 active cases in hotel quarantine and no cases in the community and a total of 4 deaths so far in a population of 1.7M people.
      There have been outbakes but having this da

      • by rtb61 ( 674572 )

        I have never used it nor have I ever seen anyone using it. This sounds more like a practical joke, than any scam. They probably did not find it by anyone using it but with supermarket security cameras which are every where (in South Australia they most definitely do prosecute every single shoplifting case, not that I know first hand but second hand when designing and constructing a supermarket, do you know country towns are the worst especially with a blow in owner and manager of the supermarket, I wont say

        • Except to target that merry prankster with fake qr code stickers

          I suspect it was less a merry prankster in motley with bells on the points of his caps, capering down the road to the tune of "The Whistler", and more a sullen, embittered shut-in who believes his ideas deserve more attention than they're getting and who didn't want to go through the hassle of getting a gun license.

        • Meanwhile in South Australia a very high TB inoculation rate zone, hence the very low covid numbers, SHHH don't tell anyone this but they have not worn masks or really social distanced since the beginning. Don't tell anyone but they actually did less than Sweden.

          To be fair, South Australia is one of the most isolated places on earth. New Zealand is crowing about their low rates too, but it has less to do with superior policy and more to do with being in the middle of Bumfuck Egypt :)

          • by notsouseful ( 6407080 ) on Thursday April 29, 2021 @11:53PM (#61330762)

            To be fair, South Australia is one of the most isolated places on earth. New Zealand is crowing about their low rates too, but it has less to do with superior policy and more to do with being in the middle of Bumfuck Egypt :)

            This is a fallacy. Earlier someone responded to one of my posts about the virus in the US by saying basically "blah blah blah blah blah it doesn't matter because some fence hopper is going to show up coughing and ruin it for everyone again". Which is kind of true. It takes anticipation and determination to contain the spread of this disease. We can't get half the country on board with either of those in the US, so we're kind of shot in the foot in the first place. Hell I have family members who won't get vaccinated because they believe it's made out of babies (yeah get this - they believe the vaccine is made from literal babies, Trump is trying to completely take credit for all of the vaccine everywhere like he developed it himself, and they're full on Trump supporters... I can't even). But countries who have populations that give a shit about each other, like New Zealand and Australia (and Vietnam, who border China), or very restrictive governments like well China (after their initial massive spread), are doing fairly well at containing spread from positive cases when they pop up, which allows them to otherwise almost ignore it in their daily lives, except the damage it does to their trade partners through their supply chain.

            Must be nice having parties and tailgates and shit.

            • Agree with most of your comment, though I hope you were exaggerating about your relatives who believe the vaccine is made from babies.

              I know a number of people who are opposed to the J&J vaccine because in the production process it uses cell lines derived from aborted fetuses. See:
              https://www.reuters.com/articl... [reuters.com]

              Well, in finding that link, apparently there were people such as you describe who needed to be debunked, so I guess you probably weren't exaggerating.

              It is possible, however, to ratio
            • This is a fallacy.

              Which is kind of true.

              Ok then...

        • Culture jamming.
  • by couchslug ( 175151 ) on Thursday April 29, 2021 @08:10PM (#61330140)

    It's goal is to sabotage public health so it should be dealt with accordingly.

    Tolerance for attempted murder is misplaced. These saboteurs merit exemplary crushing which is all their sort understand.

    • by Xenographic ( 557057 ) on Thursday April 29, 2021 @09:18PM (#61330342) Journal

      See, this guy is wrong and anti-vax is wrong and I've told several people that their anti-vax BS is full of crap, but "attempted murder" for obscuring a QR code? Really? You should be ashamed of yourself.

      This is the sort of over-reaction they use to delegitimize vaccines because it's an emotional reaction and not a logical one. They should be charged with vandalism or similar, a simple petty crime. The more you put emotional elements into this or punish them because their ideas are wrong, the more push-back you get. Yes, that push-back is dangerous, but it comes because politicians haven't been honest with us about what we know or don't know and have made up for it with draconian punishments that don't seem well-tailored to actual risks, there's no room for nuance in the clickbait news, and so it's not surprising that people turn to those they actually trust, even if they're wrong, instead of the groups that hate them and want to punish them for wrong ideas.

      So no, this is a dangerous and stupid idea with the same dangerous second-order effects. We need to calm way the hell down and look at actual risks and then help people avoid them, rather than using this as an excuse to punish people you hate.

      • by couchslug ( 175151 ) on Thursday April 29, 2021 @09:42PM (#61330396)

        The people I hate are indifferent to moral example and everything else. They cannot be addressed as adults but they can be punished and hurt in an exemplary manner. It doesn't take much to deter the less committed (the hardcore will never be different but can be used as example objects).

        The US is afraid to hurt old white fascists but gleefully murders anyone else, yet old white fascists are actually rather vulnerable and their situation won't improve with age. What missing is the patriotic will to bring the pain. COVID killed far more Americans than 9/11 but supporting its spread carries little censure and saboteurs can and do act with expectation of impunity.

        Peace failed a long time ago.

        • > They cannot be addressed as adults but they can be punished and hurt in an exemplary manner.

          Gee, I wonder why they don't trust you...

        • by quenda ( 644621 )

          The people I hate are indifferent to moral example and everything else.

          Your kind of nutjob, and I do not say this lightly, is even worse than the anti-vax nutjob.
          Yes, they should be treated as criminals, up before a magistrate. But "terrorist"? Who is terrorised? Absurd. And harm? Theoretical, not actual, fortunately.

      • They should be charged with vandalism or similar, a simple petty crime.

        It seems like of all the laws on the books, there should be something more to apply to such a serious crime. Anything to do with interfering with important public signage or interference with a medical practice? Attempted murder is a bit much but vandalism and petty crime are barely scratching the surface of what's wrong with this.

        On a somewhat related note, pointing a laser pointer at an aircraft should qualify as attempted (mass) murder though. It's basically the airborne equivalent of dropping a cinderbl

      • by AmiMoJo ( 196126 )

        There are documented cases of anti-vaxxers getting COVID and dying. If someone convinced them not to take precautions or get vaccinated then they are at least partly responsible, the same as if they encouraged them to do anything else stupid like eat Tide pods or jump into shallow water.

        • Jump from a great height into shallow water _will_ stop you from getting Covid. Lots of things kill Covid, unfortunately most of them kill humans easier. And plenty of religious people thinking their god keeps them safe, leading to clusters of infections.
      • > but "attempted murder" for obscuring a QR code

        Yes, really. This is not just a regular qr code with random opinions on it, it is something related to the health of people that CAN end with your death if you happen to believe it, it can actually end with your death and the death of thousand other people.

        So yes, it is attempted murder, worse yet it is attempted massacre and the terrorists spreading medical lies should be tried as terrorists.

      • See, this guy is wrong and anti-vax is wrong and I've told several people that their anti-vax BS is full of crap, but "attempted murder" for obscuring a QR code? Really?

        Yeah, attempted murder is over the top. Reckless endangerment is more appropriate, and if it can be proved that someone died of COVID because they were misled by the QR code then negligent homicide. Unless there's some evidence of intent to kill, then it could be premeditated murder.

    • by gweihir ( 88907 )

      I completely agree. Sabotaging critical medical care (and vaccinating for a serious disease is just that), is plain evil.

      • I completely agree. Sabotaging critical medical care is plain evil.

        Let's put some perspective here. This is not 'critical medical care', it's a check-in method that is only exploited if you use it incorrectly.
        If you use the App to scan and sign-in, no problem
        If you sign-in with provided pen and paper, no problem

        • > This is not 'critical medical care', it's a check-in method that is only exploited if you use it incorrectly.

          No, at all.
          This is using an official app, that people trusts, to spread medical lies and misinformation that end up with people dying and infecting others. These are criminals, people that kills other people for ideological reasons abusing not only the ignorance and fear of people, but also abusing the trust they place in official apps. These killers need to be tried as murderers, because they s

    • It's goal is to sabotage public health so it should be dealt with accordingly.

      Tolerance for attempted murder is misplaced. These saboteurs merit exemplary crushing which is all their sort understand.

      Putting a stick over another sticker is now attempted murder? How many people died?

      • by arQon ( 447508 )

        > ... is now attempted murder? How many people died?

        How many people *usually* die in an ATTEMPTED murder...? :P

    • We aren't talking about a ransomware attack on a hospital, just a brief, minor inconvenience at a vaccination site that might have caused dollars worth of damage to a sign or two. Anyone who read the sign first would have seen an error, not the anti-vax page, and reported to staff that it wasn't working. Staff then remove the sign. It could easily be that nobody saw the "malicious" link at all. Certainly none of the articles suggest anyone did. Hell, local news didn't know where it went - "it is unders
  • "While this is concerning, the outcome could have been far more perilous."

    Exactly, the gov't big brother folks could have gotten the info! Looks like the idiots accidentally managed a useful result.

    Also, no matter how stupid the cause this is non-violent political speech. What are the authorities doing with that info that leads them to behaving as though this was a terrorist attack? They're acting like they have something to hide. (presumably related to authoritarian police state tracking, not vaccines)
    • Exactly, the gov't big brother folks could have gotten the info! Looks like the idiots accidentally managed a useful result.

      How the fuck is sabotaging public health a "useful result".

      We're a mostly covid free country. If the virus gets in, that means the state or cite involved has to lock down for upwards of 3-4 days to flush it out. If contract tracing is sabotaged, that becomes a much more dismal picture as the tragic events in victoria last year proved

      (And I'm not even going into the human meatgrinder in

    • This is violent speech. This is as effective as having HIV/AIDS and having sex without telling your partner.

      Preventing access to contact carriers is a direct attack on the ability to keep the problem contained. The man needs to spend many lifetimes in prison if someone dies due to his stupidity. if no one dies then just a simple 10 years in prison to prevent others. I personally would like to see him hung publicly

      • Given that the codes were for checking in at a vaccination site, and that the maximum extent of the harm caused by altering the code is having to check in by saying, "I'm here, my name is ...", I don't see how your analogy could possibly hold. You're basically calling for someone to be publicly executed for causing minor inconvenience at one place for as long as it took for someone to point out the code didn't work.

        I shudder to think what you would do to a jaywalker.

        • >>that the maximum extent of the harm caused by altering the code is having to check in by saying, "I'm here, my name is ...",
          Nice try troll

          That's false correlation.

          The Maximum harm is that the ability to contact trace is removed. basically you have removed access to the carrier of the virus, and they might not be found.
          This false action is similar to the the person that helps load magazines for an attack.
          They are complicit in the crimes cause by the shooter because they know the outcome.

          if they reall

          • No, it isn't. The codes that were replaced were solely used for checking in at a vaccination site. Altering the codes could, at most, prevent people from using an app to check in. Whether or not someone might have ignored the instructions on the sign before it was replaced, and seen something you didn't want them to see is irrelevant, the contact-tracing functionality of the app was unaffected.

            Just admit that you overreacted and accept that this is not an infraction that justifies execution. You're sc

            • 2 points of reference :

              A jaywalker places themselves at risk by crossing outside of the zone's where it's permitted. the outcome is determined by jaywalkers skills at judging traffic and a drives skill set and mental profile of not willing to harm another.

              Does the infraction that justifies execution: I am firm in the stance that if another interferes in medical crisis in anyway, extremes action must be taken. in this case the least level of punishment is 4 years behind bars, solitary, if the action changes

  • "In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community," Bill Harrod, vice president of public sector at Ivanti, told Threatpost. "While this is concerning, the outcome could have been far more perilous."

    Yes, educated people could have actually started believing them.

  • "Any person found to be tampering or obstructing with business QR codes will likely face arrest and court penalty of up to $10,000."

    Accuse them of a DMCA violation for copying the code, it carries a bigger penalty.

    • Accuse them of a DMCA violation for copying the code, it carries a bigger penalty.

      From TFS:

      the QR codes were being used by the South Australian government's official CovidSafe app

  • If they do not want to get vaccinated, fine. Just make sure they keep away from others that cannot be vaccinated. (If they do not and end up infecting somebody, charge them with aggravated assault. If they end up killing somebody, charge them with manslaughter.) But sabotaging _others_ from getting vaccinated that are willing is just plain simple evil. I hope this ass gets significant prison time.

    • But sabotaging _others_ from getting vaccinated that are willing is just plain simple evil. I hope this ass gets significant prison time.

      Wtf are you on about? The QR code is simply a check-in procedure for contact tracing, which if you read the posts above from SA locals, no-one used anyway, so the service was useless.
      So there is no 'sabotage', merely you got redirected to some silly website you didn't intend on reading, and only if you were too stupid to not use the app to check-in.

      I know this is the age of outrage, but maybe stop being so gullible to the hype. At no point was anyone getting vaccinated or being prevented from being vacci

    • For the minor annoyance of someone having to replace a sign, or god forbid, peel off a sticker? People who followed the directions on the sign would see nothing, and alert staff that it isn't working (leading to a quick fix). People who didn't read it and didn't assume they needed to use the government app will be taken to a site they probably won't read either.

      Yes, people might have to check in verbally for however long it takes to replace the sign or remove the sticker, but that barely ranks as a min

  • A couple years ago at a security conference some colleagues presented a paper. On the poster they put a QR code with a link to the pdf. It was very novel at the time so the QR code was in big and a lot of people tried it. The problem was that they'd screwed the QR code generation and it crashed every single phone that tried it, needing a hard reboot. It was the most talked event at the conference. And nobody read their paper ! ;-)
  • There is prima-facia case for attempted murder, charge them and make sure it attracts some headlines.

    A big clamp down on anti-vaxxers is long overdue.

    Their freedoms end at the point they endanger other people.

    • by ebvwfbw ( 864834 )

      There is prima-facia case for attempted murder, charge them and make sure it attracts some headlines.

      A big clamp down on anti-vaxxers is long overdue.

      Their freedoms end at the point they endanger other people.

      Be careful what you wish for. There are two that are suspect. The Johnson and Johnson and another one I can't think of. It's not available in the US. Should people know about them? If you're a woman I'd say stay the hell away from J&J until we know if it's an issue or not. Maybe it was a bad batch. I'm sorry it happened to J&J, I like that company. They've done a great deal of good.
      Pfizer seems to be good stuff. Moderna seems somewhere in between. I've met people that swear to God it was terrible. T

  • by pahles ( 701275 ) on Friday April 30, 2021 @02:25AM (#61330998)

    That's a lot of personal data linked to a single QR code just waiting to be stolen.

    You don't send data by scanning a QR code...

    • That's a lot of personal data linked to a single QR code just waiting to be stolen.

      You don't send data by scanning a QR code...

      100% this. The app clearly just uses the QR code to keep track of where you've been. At worst you could feed it incorrect location data. At no point does the app people were using to scan the code send your personal data outbound to some site identified by the QR code!

  • The ignorance out there on QR codes is astounding.

    First, I see responses here akin to 'That's why I never scan QR codes'.

    By the same logic, people making this argument would never accept cash, because.. like.. you know... you have to personally be responsible for evaluating it.

    A B.S. argument if ever there was one.

    Scanning QR codes with your phone bears just as much responsibility as accepting a $20 for change in the grocery store.

    Be skeptical. Look at the code carefully. Look at where it goes
  • I write an iOS app that does scan QR codes in one situation.

    QR codes can in principle contain arbitrary text. We chose to use a url with an app-specific scheme, like myapplication:// instead of https:/// [https] and then the rest is encrypted.

    The scheme makes sure that scanning through the camera will launch my app. You can also scan using the app directly, that would in principle read any QR code but rejects anything that isn't a url with the right scheme. And encryption used a private key that only we have,
  • In that it does not make sense. Consider this line, "In this case, the QR codes were being used by the South Australian government's official CovidSafe app to access a device's camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak"

    So, the QR code gives the app permission to use the camera and scan the code? That's not how QR codes or access permissions work! An app has to have access to the camera to scan a code, scanning can't give some

    • In Australia QR Code scans you!

      That's not how QR codes or access permissions work!

      That is not how access permissions should work, but it could be coded to work that way. Partoicularly wth an unrooted phone, Samsung can have their phones do anything they want.

      • I guarantee that you cannot use an app to scan a QR code to give that app the ability to scan a QR code. Either it can access the camera to scan a code or it can't. Right?
    • I donâ(TM)t know about Android. On iOS, you need to tell the camera app to scan and open QR codes. It can only process QR codes containing valid URLs. Then it uses the scheme to decide which app to open; only apps that registered a URL scheme. Then it shows an alert asking the user if it is allowed to open the app. Now if you use a qr code with the right scheme, then the app should validate the rest of the url.
  • Security Expert saves citizens from domestic espionage.

  • Comment removed based on user account deletion

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...