• isabella86@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 days ago

    Whoa, I need to recover from reading this. Where to even begin?? Asks for a phone number? Nonetheless, but a WhatsApp phone number? Hmm, a red flag, but it’s nothing compared with the rest of the post. A friend asked me maybe two weeks ago to help him make a QR code for a restaurant menu since I deal with them a lot for work (it’s actually not that difficult, see here). The generator I use is likely the safest in the market, with all bells and whistles, and I always tell anyone who asks - check the generator carefully before making a QR code, especially for business and especially if you plan to print it. Read the reviews. Look for security features. Plus, many advertise free codes, but it turns out - not really (people create, print, and then two weeks later - hello, pay a subscription if you want your code to work again). And I thought this was bad. But what I read now escapes reality. A big thanks to those who posted the archived copy, by the way.

    • captain_zavec
      link
      fedilink
      arrow-up
      53
      arrow-down
      1
      ·
      2 months ago

      I mean, unless somebody is burning browser zero days on random public QR codes I’m not too worried.

    • ChaoticNeutralCzech@feddit.org
      link
      fedilink
      English
      arrow-up
      29
      arrow-down
      1
      ·
      edit-2
      2 months ago

      It’s easier to take precautions though. You probably don’t have an insulated USB port or throwaway host device but handling QR codes safely just takes basic tech and skill.

      Important advice:

      • Don’t use apps that auto-open URLs in QR codes when pointed at!
      • Make sure the app shows the full content of the QR code and lets you peruse it indefinitely before you open the link!
      • Know the structure of URLs and common pitfalls!

      Recommendations:

      • Be extra suspicious if there is no URL printed next to the code, or if the printed URL is different.
      • Use an open source reader app (most QR codes don’t contain secrets but it’s got permission to use either camera!) that does not resolve Punycode (Unicode in TLDs).
      • Strip any tracking parameters you spot before following any URLs.
      • Be careful if the QR code could have been easily tampered with (on a sticker over the original one, or on a plain sheet of paper inserted into a plastic wrap together with the rest)

      I think today’s generation’s equivalent is free Wi-Fi networks. Kids without mobile data in an area without an established public network will connect to just about any open one unless the SSID includes “LaserJet” or similar.

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        2 months ago

        Strip any tracking parameters you spot before following any URLs.

        If it’s one of these QR codes at a restaurant for ordering, the parameters could possibly be necessary to properly connect your order to your table, depending on how they’re set up.

      • krolden@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        2 months ago

        WiFi and cellular networks as well. Using cellular data without some kind of tunneling for traffic/dns is nuts IMO.

      • tiredofsametab@fedia.io
        link
        fedilink
        arrow-up
        2
        ·
        2 months ago

        I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)

        • ChaoticNeutralCzech@feddit.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          2 months ago

          That is very decoder-specific. The most common QR reader apps are the Camera app on iPhones and Google Lens for Android so you’ll want to target one of these (though Google Lens might be using cloud processing for that). There probably won’t be any exploits in the image processing part but you obviously can write arbitrary data (including ASCII control characters such as CR, LF, null) into the “data” part of the QR code, as the encoding mode and data length is stored in the first 4+(n*8) bits of where data would be instead of null byte termination. Normally, the data is then right-padded with repeating 0xEC11 (or not) and then error correction follows (number of bytes in the error-correction part is defined by the size and ECC mode indicated in another region).

      • Quacksalber
        link
        fedilink
        arrow-up
        17
        arrow-down
        3
        ·
        2 months ago

        Probably smart to take it down. What he did could be construed as hacking.

        • Zagorath@aussie.zone
          link
          fedilink
          arrow-up
          27
          ·
          2 months ago

          I have no idea what the law is in India, but if he got a “hacking” charge for this it would be a gross miscarriage of justice, considering he never once did anything resembling social engineering, brute forcing passwords, any sort of injection attack, or anything else that might actually be involved in hacking.

          However, assuming he never tried to reach out to the company themselves first (and I saw no indication in the article that he had), this is really quite a horrible irresponsible disclosure. It’s pretty obviously a significant leak of sensitive data—both customer and business data—and giving them 90 days to fix it before alerting the public to what you found is pretty basic security ethics.

          • dylanmorgan@slrpnk.net
            link
            fedilink
            arrow-up
            12
            arrow-down
            2
            ·
            2 months ago

            I also don’t know the laws in India, but in the US nearly every major “hacking” case for decades has been a miscarriage of justice to some degree or another.

            Like Kevin Mitnick who simply figured out that a major early ISP was keeping customer payment information in plaintext on an internet-connected server.

            • thesmokingman@programming.dev
              link
              fedilink
              arrow-up
              4
              ·
              2 months ago

              That’s a huge misrepresentation of what Mitnick did and how the government mischarged him. He did a bunch of dumb stuff that was illegal. He was overcharged in very bad ways supporting ridiculous lies from the companies he broke into.

          • ITGuyLevi@programming.dev
            link
            fedilink
            arrow-up
            3
            ·
            2 months ago

            Well there was that one part where he turned off his laptop after (not wanting to drop what he did here as the article was pulled), but I could totally see a company freaking out and going nuclear. That being said, I’m just looking through the FreedomGoggles that recently saw a “hacker” using F12 to compromise a bunch of teacher data. You know, their important sensitive data that was definitely not sent to their device where it could be seen by right clicking and hitting view source.

          • pandapoo
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            2 months ago

            Under US law, that would be considered hacking.

            It is antiquated, and frequently abused by prosecutors, but legally speaking hacking is as simple as accessing any system you’re not authorized to.

            And even more so, he documents alterations and changes that he made to that system e.g. ordering a soup for a random table.

            Again, only speaking for America, but this would be a textbook example of grayhat hacking, which could easily be prosecuted.

            I’m not saying it should be illegal, or that I agree, just that it currently is.

            • Zagorath@aussie.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              A good lawyer in a case with a sensible well-informed judge could run a good case, since he’s only actually making calls to an API that has not just been left open for anyone to access (which you could argue is implicit authorisation no different to how a store having unlocked doors is implicit invitation to enter the store), but has actually been explicitly invited to access by virtue of the site he was sent to in the QR code causing his browser to make requests to that API.

              Admittedly, a competent prosecutor could also make a case that by changing the query parameters, he was then losing that explicit invitation, and could then try to pick apart the implicit argument.

              Though it’s all irrelevant, because there’s a reason I said “miscarriage of justice” and not “incorrect application of the law”. If the law did find someone guilty here, it would be an unjust law. That was my point.

              • pandapoo
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                2 months ago

                So you’re saying that if all lawyers, and judges involved, are all also programmers, security researchers, or otherwise well-versed in computer security, they might choose to ignore the law how is written, and nullify it with their own experience?

                Also, there is plenty of case law, and people with convictions on their record, for doing far less than what this guy did.

                That doesn’t mean the law is just, or that I agree with it, just that it’s currently illegal.

                • Zagorath@aussie.zone
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  So you’re saying that if all lawyers, and judges involved, are all also programmers, security researchers, or otherwise well-versed in computer security, they might choose to ignore the law how is written

                  No? That’s nothing close to what I said? I said that the law as it’s written could very likely be interpreted in a way that achieves a just outcome, as long as people involved have adequate understanding of technology.

  • NegativeInf@lemmy.world
    link
    fedilink
    arrow-up
    32
    arrow-down
    6
    ·
    2 months ago

    Absolute insanity.

    I would have abused this great and terrible power in just the same way he described. Random orders for random tables at random restaurants at random times in small quantities for as long as they aren’t protected. Just enough to be an inconvenience/awkward but not enough to raise alarms.

    And now I will check every QR code I scan at a restaurant.

    • Psychodelic@lemmy.world
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      2 months ago

      That seems kinda fucked up. Why would you do something like that?

      I mean, I at least get fucking with people for money. Doing it for fun, not so much

      Also, anyone know what they meant with this line?

      I still loved my life so I didn’t want to use the Google custom search API.

      • NegativeInf@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        edit-2
        2 months ago

        Because you can or to prove a point.

        As to the quoted text, I assumed it was a reference to not getting more deeply involved in it that would cause legal issues for himself.

  • Bezier@suppo.fi
    link
    fedilink
    arrow-up
    15
    ·
    edit-2
    2 months ago

    The main event here was pretty interesting, but I’d just like to say that

    It asked me for my name and Whatsapp mobile number.

    Why not just the mobile number. Do they also operate drive-ins that only accept BMWs?

    • Mountaineer@aussie.zone
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      1
      ·
      2 months ago

      In certain places like India, WhatsApp is the default means of communication for everyone.
      You can use it without phone data if you are on wifi, it supports better quality than sms for sending images, you can video chat with it, it’s cross platform, etc etc.

      What’s more amazing to me is that it’s not more popular in western countries.

      • Bezier@suppo.fi
        link
        fedilink
        arrow-up
        4
        ·
        2 months ago

        I know it’s dominant, but it just sucks. To go back to the previous analogy, Whatsapp should have a monopoly on communication as much as BMW should have a monopoly on transportation.

        • Mountaineer@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          I agree and use Signal myself.
          But people like the extra features of WhatsApp like desktop/web clients with seamless history sync and all the other little things that WhatsApp provides.
          The average Joe doesn’t even think about security or privacy, they just know that the results of using WhatsApp are superior than using SMS.
          iMessage is a non starter everywhere out of the US, it just doesn’t have the market penetration.
          As an Australian, no one I know (many of whom own iPhones) talk about the blue-green bubble stuff.
          They recognise where the fault lies and simply don’t use the app.

            • Mountaineer@aussie.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              I have a friend group that insist on all events being planned through facebook.
              I’ve missed out on events in the past due to not taking part.
              It’s no longer a hill I wish to die on.

  • ElectricMachman@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    11
    ·
    2 months ago

    Brilliant article - but it looks like it’s now been removed. Would be impressive if someone at Dotpe got wind in such a short space of time…

    • poVoq@slrpnk.netOP
      link
      fedilink
      arrow-up
      7
      ·
      2 months ago

      Huh, it was still working when I posted it one hour ago… unlucky I guess 🤷‍♂️

  • EngineerGaming@feddit.nl
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    2 months ago

    It asked for your phone number? That is the thing that angered me the most. I wonder why you would share this rather than ask a waiter and say you don’t have Whatsapp, for example.