A QR code that sends you to a different destination - lenticular and adversarial
29 comments
·January 23, 2025nixpulvis
codetrotter
Tangential but once in a blue moon I come by some situation where I’m on my phone and I’m looking at something that has a QR code showing on the screen of the phone itself.
And so I do something silly like airdropping a screenshot of it to my laptop so I can scan it with my phone camera, or I get someone else (friends, family) to use their phone to scan the code from my phone screen with the camera app on their phone.
And all this time I was annoyed why I couldn’t just get the link directly from the image on my phone without involving another device, and without having to install yet another third-party app.
And today I learned that all I had to do was long press the QR code in the screenshot in my camera roll and it would actually parse it and make it so I could visit the link!
I think I must have tried long pressing QR code in an image in the camera roll years ago because it always seemed like something that would make sense to support via long press. Maybe they introduced this feature after I had tried to long press a QR code in an image in the past. Or maybe it was always possible and I didn’t actually ever try to long press it. Or maybe I long pressed the wrong part of the image that first one or two times I ever tried to do it in the past. Either way, very happy to have learned that this is actually possible.
davchana
Yes, I usually share it with Google App, and Lens tab.
_august
When I long-press on iOS, it shows me the mastadon link as the main "Open" link, as well as "Open in Github" (app link) in the context menu.
noitpmeder
now THIS sounds like an exploit
Normal_gaussian
I guess an interesting attack would be a screen in a public setting that alters the QR code based on information it has about the current user, without appearing to change significantly.
setup:
- make the QR code as a half/half code
- have a system to decide preference of target based on external input (e.g. camera based characteristic evaluation)
- make slight dynamic alterations to the colours of the code to bias the probability of it being picked up as the desired target. Desirable black/white can be made blacker/whiter, less desirable less so.
Where to use it maliciously:
- anywhere where people provide feedback - present alternate feedback forms to different demographics to engender the most positive (or negative) results.
- pretend to offer some form of probabilistic chance to win a prize, but bias winning to some identifiable characteristic. e.g. race, age, "beauty"
- target a specific person - have them join a different WiFi network, alter a payment page, etc.
In a static setting its less effective. I can't immediately think of a static attack that benefits from siphoning some reduced fraction of users.
I'm doubtful most people would notice a QR code dynamically changing, particularly in most public lighting.
t_mann
All of those could be done much more stealthily server-side, though, I don't get what the QR code modification would add here? Also, neither use case makes use of the hack described in the OP. Where I could see an attack based on that hack would be where an attacker plasters their code over a legitimate one. It would be kind of random which code gets read, so they could send some %-age of users to the original destination, hence possibly delaying detection. But it doesn't seem a given that this would compensate for the reduced traffic to their link.
post-it
Some sort of MITM attack by someone who owns the display but not the server, maybe. Like a malicious ad company.
t_mann
Ok, but then I'd still prefer a method that sends users to a unique URL. OP's method may help with obfuscating the changing of the code, but I'm sure there are ways to better achieve that without having to introduce this quasi-randomness. The simplest would probably be to just to regularly hide/show the code (which would happen anyway on a typical digital ad display that cycles through a number of ads).
eieio
I appreciate you laying out malicious use-cases instead of just having the setup section; I would have struggled to think of those!
FWIW the place my brain went was some kind of magic trick, since having control of this could function kind of like a forcing a specific card or something
tbrownaw
> pretend to offer some form of probabilistic chance to win a prize, but bias winning to some identifiable characteristic. e.g. race, age, "beauty"
Do a facial recognition lookup against the RealID database (I'm sure someone must be selling a leaked or hacked copy by now) and make the prize depend on the first letter of the person's last name.
Normal_gaussian
Identifying this should be relatively easy in the core libraries; finding alternate valid QR codes using "less optimal" grids.
Of course the API confusion here becomes non-trivial, which hampers securing against it. And with existing libraries being widespread, its going to linger as an attack for a long time.
pockmarked19
You don’t need any of this if you control the app doing the scanning (or the website/app handling the result).
Normal_gaussian
You wouldn't control the app doing the scanning.
The attack is that a user looking at a QR code cannot determine that they are being served a different code to another person.
In a public setting a user would have no idea they are even capable of being targetted and treated differently.
t_mann
You don't even need to change the QR code to treat users differently, that's the point. You just send users to some fixed URL, which is by far the most common use for QR codes (hence completely unsuspicious), and you decide who gets served what there, based on whatever data you gathered about them. And the users that would care are already acutely aware that that's how a majority of the web works nowadays, QR codes or not.
alan
Static a/b testing?
janniehater
[dead]
re
(Scroll up from the starting position to see the lenticular one)
ShakataGaNai
That is gnarly. My iPhone tended to lock into one or the other, rotating the phone seemed to help it go one way or the other. But a couple times it did flash back and forth between the Mastadon and GitHub links.
65
This would be cool to use in a scavenger hunt.
TOMDM
Maybe make it so that you need the results of both (all?) QR codes to get the final code/link/key.
buildbot
Interestingly, MacOS only sees the mastodon link when right clicking on the QR code.
etrautmann
That makes sense, I would imagine it would require some variability via a camera with different angles/lighting conditions in order to get both links at different times.
tzs
That's also what Mathematica's BarcodeRecognize[] sees.
daft_pink
I don’t really understand the value of this compared to just putting another QR code right over the pre-existing code? Why bother getting a fraction of users, when you can get all of them.
notRobot
The value is that it's cool.
TacticalCoder
[dead]
Gryadn
Lenticular is a toy plastic waste next to useless artifacts that constantly try to attract attention.
casey2
Attention sells products, if the next apple visions' 3D is good enough it will create a whole new product line, creating thousands of technical problem solving jobs.
Pretty impressive for plastic waste.
The most interesting thing about this to me is that on iOS a long press on the image claimed it's going to github.com, while the preview itself was for mastadon. This indicates that it's parsing the QR code twice and getting different results? I could see this being used to mislead some people, though I'm not sire how many people look at the long press dropdown URL.