Introduction

A quick response (QR) code is a type of barcode easily readable with digital devices like smartphones. QR codes have been around for a long time, but have gained popularity over the years, especially during COVID, with restaurants and other customer-facing industries. When Coinbase aired a Super Bowl ad that featured nothing but a QR code, over 20 million people scanned it within 60 seconds. 

So, it shouldn't come as a huge surprise that hackers are leveraging this technology for malicious reasons. If you're not careful, these codes could be used to download malware, send users to phishing pages, take over your WhatsApp accounts and more.

OWASP Top 10

For years, SQL Injection has been in one of the top spots for web application vulnerabilities. How does this relate to QR codes?

QR codes are used to store data, and this can include malicious data. Suppose there is a site that reads a QR code and stores its value in a database. Any time an application takes user-supplied data and stores it in a database, there is a possibility of SQL injection. This means that an attacker could create a QR code containing a SQL injection payload, which could ultimately get processed by the application. If the application is vulnerable to SQL injection, the payload will trigger. In this case, we can think of QR codes the same way we think of any other user supplied data. All the same attacks are present. 

The only difference is the delivery mechanism, which in this case are QR codes. Instead of putting an SQL injection payload in an input field like you would do when testing a web application for vulnerabilities, the SQL payload would be embedded into the QR codes. 

Below, we have a QR code with our blind SQL injection payload (1' WAITFOR DELAY '0:0:10').

Account takeover

Some applications allow you to link an account to your device via a QR code. If a malicious hacker tricks you into linking your account in this way, they could take over your whole account.

The messaging app, WhatsApp, allows you to scan a QR code with your phone to link your mobile account to your desktop device. An attacker could forge a phishing page containing this QR code and trick people into scanning it. If successful, the attacker would be signed into the victim’s account, giving them full access. WhatsApp is not the only application that has this functionality; a lot of the other apps do as well. Unfortunately, any application with this functionality is vulnerable to this type of attack.

Phishing Emails

QR codes have also been used in email phishing attempts. Attackers can hide their phishing links within a QR code, which can be used to get around traditional security checks.

As shown in the phishing email above, the attacker tries to convince the target to scan the QR code with their phone. Once scanned, the victim will be taken to a phishing page where they are asked to insert their credentials. This completely bypasses most security systems, since there isn't a hard coded link in the email to analyze, making it harder to pick up and block.

Conclusion

QR codes were originally designed to hold data that is easily readable by digital devices, such as cameras and phones. However, like most things, this can be used for good and bad. Attackers can leverage QR codes for phishing, to take over people's accounts, and even as an exploit delivery mechanism.  

99% of QR codes out there are safe, but it's the 1% you have to worry about. If you are a developer, you should treat user-supplied QR codes the same way you treat all user-supplied data… don’t trust it! As a normal person, you should be aware that QR codes can be used for phishing attacks. Like all phishing attacks, the attacker will have to convince you to take an action in order for you to be compromised, but these tactics are getting better and better.

If you were one of the 20 million who scanned the Super Bowl ad, don’t panic. There has been no released breach of that QR code. However, be careful in the future and avoid codes you’re not familiar with.