The largest QR code can hold up to 3 kb of data, which is more than enough to write a nasty virus in an injectable script if aimed at specific devices/apps. The main hurdle is breaking the app to execute the code instead of treating it as a string. It’s the Drop Bobby Tables joke. Developers hopefully don’t fall for this anymore.
Anyway. Making a shitty link and leading people there isn’t a new idea. You don’t even need a t-shirt. Hackers already place their own printed QR labels on top of otherwise real codes, and the user might not even notice, because they’ll be redirected to the right site after the dirty deed is done dirt cheap.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Probably the closest you’re going to get
Depending on what they plan to use the video for, a middle finger can be sufficient.
Having worked in TV news, I’ve long thought the way arrested politicians or whoever that are trying to avoid being filmed leaving a courthouse by holding a folder or coat in front of their face should instead just hold both middle fingers up right in front of their face. The image won’t be used, and if it is, it will make it very clear how they feel about the citizens.
So I thought I pulled a great prank once. I made a QR code that directed to lemonparty. I used an online sticker service’s free trial to print a bunch up with my friend’s Instagram at the bottom. I travel all over for work so I was going to put them everywhere.
My problem was I printed them in yellow and they wouldn’t scan. I told my friend and he thought it was a funny idea just like I knew he would, not a malicious prank. Wish it had worked.
Does anybody configure their phone to automatically scan photos for QR codes and visit the links?
I think as a precaution, barcode scanners stopped automatically going to links.
Even if a link isn’t malicious, you can still get someone’s IP address or device fingerprint.
IP would not be an issue, your phone is behind cgnat when using a mobile connection
When my phone’s barcode reader app sees a web link, it fetches the page’s title to display next to the actual link. So it is going to that web server and fetching resources by itself. Even though it isn’t actually rendering the page and running javascript, it might be exploitable.
But that’s the barcode app - is it always running, looking for barcodes in all the photos you take? Because there are already shirt with giant barcodes on them - presumably just artistic with no meaning, but who knows?
I have a shirt with a QR code that goes to a Rick roll. It doesn’t work nearly as well as I’d hoped. Even people trying to scan it have a hard time, forget about anyone scanning it unknowingly. Mr. Astley did in fact let me down.
I configure my phone to automatically follow the links from scammer texts.
My phone’s camera app just doesn’t scan qr codes. It’s actually really frustrating. I refuse to install a specific qr scanner, but I’d still like the ability to scan a menu code at restaurants or to get the WiFi connection at a hotel…
Mine scans but doesn’t follow (and it doesn’t scan in video mode)
Why not just use this one?
I knew what it would be. I still grabbed my phone. I saw youtube. I still clicked it.
At this point I do it just to feel something
I feel…him
YouTube? Ok, I was going to guess goatse, but guessing not now.
Don’t give up
Dang it, my streak was going well till this
Don’t let yourself down like that. Start a new streak.
Search your heart. You know what it is. You know.
Except if they were halfway intelligent they wouldn’t have it go automatically to the site.
And when you do this and something goes really wrong criminal charges get laid.
I’m not sure if you could actually get criminal charges for this unless you were hosting the malware in which case that’s another issue. It would essentially be the same as walking around with a website URL on your shirt. The observer is responsible for typing in the URL or scanning the code and what they decide to do on the website that follows.
I tend to agree that this is how it should be, that doesn’t mean that’s how it is. If you walk around with a T-shirt that says “kill all CEOs” along with where to find them, you’re going to run into some trouble, despite being a similar situation- you’re just giving instructions, it’s up to the viewer what to do with them.
Except the shirt doesn’t say “visit this site, there are cool things on it”. If you’re gonna make the comparison to CEOs then it would be like putting a CEOs address on your shirt.
There’s the argument that you distrubuted it.
Same argument for having it direct you to somewhere like meatspin. Can’t be distributing porn to minors.
got it from a thrift shop, I don’t even know what that square thing is
I don’t know about the states, but here in Canada the government takes the position “ignorance of the law is not a defence”.
You’re not being ignorant of the law - you’re being ignorant of the weird computer square printed on the shirt you thrifted
Claiming you didn’t know it could cause harm isn’t a defense in court in Canada.
Anymore bullshit?
Christ you’re a cordial fellow
I was, I thought quite clearly, having a joking poke. Obviously “didn’t know lol” isn’t a defense.
here’s an idea : let it redirect to a URL but with it’s query params tweaked so it automatically attempts an SQL injection on the website when loading
