I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)
That is very decoder-specific. The most common QR reader apps are the Camera app on iPhones and Google Lens for Android so you’ll want to target one of these (though Google Lens might be using cloud processing for that). There probably won’t be any exploits in the image processing part but you obviously can write arbitrary data (including ASCII control characters such as CR, LF, null) into the “data” part of the QR code, as the encoding mode and data length is stored in the first 4+(n*8) bits of where data would be instead of null byte termination. Normally, the data is then right-padded with repeating 0xEC11 (or not) and then error correction follows (number of bytes in the error-correction part is defined by the size and ECC mode indicated in another region).
I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)
That is very decoder-specific. The most common QR reader apps are the Camera app on iPhones and Google Lens for Android so you’ll want to target one of these (though Google Lens might be using cloud processing for that). There probably won’t be any exploits in the image processing part but you obviously can write arbitrary data (including ASCII control characters such as CR, LF, null) into the “data” part of the QR code, as the encoding mode and data length is stored in the first 4+(n*8) bits of where data would be instead of null byte termination. Normally, the data is then right-padded with repeating
0xEC11(or not) and then error correction follows (number of bytes in the error-correction part is defined by the size and ECC mode indicated in another region).