Wednesday, 5 October 2011

QR code readers analysed

They do what? #evilqr

I recently noted the unsurprising potential for abuse that QR codes provide. One significant part of the problem is the QR code reader software itself. It may be vulnerable to exploits delivered directly by the QR code, for example. Or it might just take you to a potentially-hostile website without asking for permission.

The code readers also have the potential to help, perhaps by providing information about the code's 'payload' (e.g. URL) before taking further action, such as visiting that URL.

AppSec-Labs has compiled a table of QR code readers in a blog article entitled Security assessment of mobile QR readers. Of the 18 tested, five directed users to websites automatically with no user confirmation. One even parsed JavaScript.

The AppSec-Labs article includes two 'evil' QR codes for those who want to test the code reading software that they use.