QR codes are designed with alignment and scaling features, not to mention checksums and significant redundancy. They have to be, because you’re taking photos of them with your potato-camera while moving, in the dark, and it’s on a curved sticker on a phone pole. So it came as a complete surprise to us that [Christian Walther] succeeded in making an ambiguous QR code.
Nerd-sniped by [Guy Dupont], who made them using those lenticular lens overlays, [Christian] made a QR code that resolves to two websites depending on the angle at which it’s viewed. The trick is to identify the cells that are different between the two URLs, for instance, and split them in half vertically and horizontally: making them into a tiny checkerboard. It appears that some QR decoders sample in the center of each target square, and the center will be in one side or the other depending on the tilt of the QR code.
Figuring out the minimal-difference QR code encoding between two arbitrary URLs would make a neat programming exercise. How long before we see these in popular use, like back in the old days when embedding images was fresh? QR codes are fun!
Whether it works is probably phone- and/or algorithm-dependent, so try this out, and let us know in the comments if they work for you.
Thanks [Lacey] for the tip!
iPhone SE2 – yup, 2. Very, very clever.
Kind of a neat concept, but in my testing with three different apps I either simply had trouble reading the QR code or I got the Github link like 90% of the time. It wasn’t like it was roughly 50%. Seems like that’s most people’s experience from the Twitter page.
It shouldn’t be 50/50, there’s apparently 2 angles, one of which should reliably give one link, the other of which should reliably given the other, if using a QR code reader exhibiting the described behaviour (reading the centre of each point, which due to perspective can be manipulated by angle). Of note, for using multiple apps, something to consider is that a lot of apps just put their own overlay on the built in device functions, it wouldn’t surprise me if Android and iOS apps frequently deferred to the built in QR code reader in the main camera app these days instead of bringing their own
Did you put a lenticular lens over it? Pretty sure that’s required for this to work.
Yeah, works for me– depending on the angle, distance, lighting, humidity(?), it seems to go nearly evenly between a github page and a mastodon.social page. The QR equivalent of what color is the dress?
I remain, utterly astonished that people blithely point their phones at compltely incomprehensible graphics and bllithely connect to them. Add now we have one that lets you get sent to either one of TWO malware/phish/ sites. Has NO one learned anything over the last 50 years of cybersecurity?
Having been there, I’d say “No”.
That I was thinking too, as soon as I read the title I was like : no, no, no, no another threat we must to face, but apparently you need those lens so is fine I guess.
Indeed, from one (stick-in-the-mud, enemy-of-fun) POV, this is another in the long line of Why We Can’t Have Nice Things technology quirks that’s potentially exploitable for nefarious purposes by bad actors.
Like when it was revealed a while back that Unicode bidirectional text could be employed to scramble filenames in ways that hide their real file extension. (So that, for example, an unwary user doesn’t realize they’re launching an .exe file, because the .exe extension at the end of the name is located somewhere in the apparent middle of the name.)
With clever application of text-direction markers, it’s theoretically possible for a name that looks like “This is an .execiting document.pdf” to actually be an .exe file. …That, and now this lenticular QR nonsense, is why we can’t have nice things.)
That’s what you get for trusting a filename to describe the file contents. Sane systems don’t do that
Well, my iPhone gives me a preview of the link first (or actually just the server address), so I don’t have to connect at all to see it. If I would have had to connect to see the server or URL, I wouldn’t have tried it. Seems prudent enough when you know what you are doing.
Ah well, I am using an iPhone. I won’t claim that it’s impossible to malware-infect an iPhone with an up-to-date iOS. But the possibility is quite unlikely.
Android does the same, at least in the default camera app I have
That, and zero days are valuable in the modern era of sandboxed and hardened browsing engines. It’s not impossible to zero day a browser and you shouldn’t go to suspicious links willy nilly, but the risk is much lower than it used to be because it’s much harder to break a browser, and even if an attacker finds a way to they aren’t going to waste it on low value targets and give security researchers a chance to investigate it
Conversely, the camera app on my up-to-date iPhone (which I believe is the Apple-intended method of scanning QR codes) simply tells me that it recognized a link and gives me a button to follow it blindly. I have to use a third party app to actually show me the contents of the code instead of automatically following the link.
Some phones ask the user “do you really want to visit xyz.com” instead of just opening the link, but that’s still mostly depending on the user’s intelligence.
That’s exactly the problem. We’ve absolutely failed, generally, to get users informed about technology. We just expect people to sit down and know. The problem becomes that the goalpost keeps moving further and further and further away, so it’s really just playing moron whack-a-mole. It’s already hard enough to get people to stop clicking attachments in e-mails, why would blindly scanning QR codes and opening the sites be any different?
I hate this.
What you expect if 80% of people would consider term URL as some dark magic? On other hand, education in schools is being reduced to religious indoctrination. Again. I guess, same people who is in charge of these scams, are also in charge of education.
The app that I use only reads and displays the data in the QR code. It will not open anything unless I tell it to.
Ah, but we’ve improved things, shortened URLs in text messages (SMS) or on Twitter/Facebook/etc – so even having a URL means you have no idea what you’re clicking…
Re: Security.
Check the link before you click through. Still, link obfuscation and link shorteners. That would be a huge warning sign, though.
Do you trust the source of the QR code? I mean, Hackaday posted it, so it’s not intentionally malicious. (We can make mistakes, but so far in 20+ years we’ve never passed anyone on to malware sites, AFAIK.)
But would I do the same with a random QR code off the street? About as fast as I’d re-use that needle I found in the back alley…
Well yeah, it’s a known attack vector that people paste stickers of QR codes over the ‘official’ ones or even just create complete fake signs, menus etc.
It’s a bit of a mystery to me why people aren’t more cyber aware but that’s the general public, gullible and easy to scam
Clearly not. This is just more irresponsible crap being released without considering that, without fail, people will look at things like this as an obviously easy vector to launch attacks. The fact that I have to keep up with stupid crap like this just to protect my users annoys me to no end. I get that these guys think it’s “cool,” but what’s not cool is yet another way for dumb users to compromise my infrastructure.
You can see what the URL is before connecting to it. All a QR code does is save some typing.
The people who won’t look at the URL before connecting are the same ones that already click blindly on links, so nothing has changed at all.
This. What’s the difference between a short url and the same short url embedded in a QR code?
Some scanners hide the URL.
Honestly not that big of a deal if you follow basic cyber security rules. Don’t put in information on a page an unknown QR code sends you to (duh). Still leaves the zero-day risk, but that’s quite unlikely in general, even less likely given the source + browsers and OSes are quite good with heuristic checks now. This is a plausible but unlikely attack vector. (This got analyzed a lot after that super bowl commercial qr some years ago. The super consumer-y sources that just reprint whatever definitely framed it as a major risk. Cybersecurity sources had a much more nuanced view.)
Pointing phone at some graphics shouldn’t be a security problem. It’s the existence of apps which will immediately open a url without showing it to the user and asking for confirmation which I don’t get. And they got all of the “verifications” and “approvals” and even come preinstalled… SMH
Wonder if that can be used to double prank someone? One angle and you get Rick Astley video. Tilt the camera a bit and you get the goatse picture.
Or one angle, Goatse, the other, lemonparty
I did try this and did manage to capture the 2 URLs with the “Barcode scanner” android app
I managed to get both of them consistently by scanning from “the left” and then from “the right”, while the phone was in landscape orientation. Nice
This reminds me of records that would play different things occasionally. Simple but brilliant: They just scribed two concentric grooves on the surface of the record. Depending on where you dropped the needle, it would fall into one or the other.
There are even LPs with many tracks! There’s one where it’s a horse race and which groove you fall into determines how the horses place.
I believe it was Monty Python’s Tie and Hankerchief that did this as well….
Reminds me a bit of the 3D art done on sidewalks:
(And yes, this link goes to only one site) :-)
https://youtu.be/ms1CbzNNHhA?si=TXD2CQNfdOVSK8kS
Cool! It links to an account on an instance I host yay
Yay! Hope your server has more storage than ours does! :)
My phone doesn’t show any links at all, let alone 2 lol
I was able to capture both websites simultaneously by using Google lens on the source image. It automatically centers and captures the Mastodon link, but by making a searching box that has the code off in the top right corner of the searching field, it finds the GitHub page in the bottom bar while leaving the Mastodon link hovering above the QR code itself.
Wow this is crazy! Works very well on iPhoneSE
My Pixel’s camera app didn’t pickup anything.
I wonder if two QR codes with fewer differences between them would make this simpler or more reliable? Perhaps you could experiment with link shorteners, that way you could still send someone wherever you’d like but the qr code would look more “normal”
So now I’m wondering if it might be possible to do more than 2 sites by rotating the QR code and trying the same trick. And if it’s possible to mitigate…
Reminds me of the Monty Python album with two grooves on side two.
https://en.wikipedia.org/wiki/The_Monty_Python_Matching_Tie_and_Handkerchief
The actual question should be “inventing something just for sake of inventing – do we still need more of the same?”
Reason being, technology for the sake of technology is a larger topic nobody wants to touch with a stick while standing 100 yards/meters away. At the risk of being called an old fart, I fail to see the merits of this (ie, compressing two unrelated URLs into one QR Code).
This is not the only thing that’s mostly pointless (IMHO), btw, just one out of thousands. Smart Watch that’s not exactly smart is another one (ie, it needs a bluetooth-connected cell phone to be smart). Prior to it was “semantic web” that largely failed without fanfare – though the promise was “smart web 2.0” as opposed to the “dumb web 1.0” which we seem to be stuck with regardless (“dumb web 1.0” is a general/blanket term, unrelated to anything suddenly AI-enhanced-again-for-no-clear-merit).
If I am to go down this rabbit hole, I’ show the QR Code in three major colors RGB recognized universally by all browser engines as such … make some of them gradient so that one square can be interpreted differently depending on the QR Code being read … or better yet, four major colors, RGB and black, so each QR Code square can have four different colors … obviously, this is just to sctratch the scratch the surface …
As a side note, as far as compressing anything goes, I have personal success stories of zipping ASCII texts, uuccping into ASCII and printing in a smallest font available (that can be realiably scanned) with zero margins on an acid-free A4 … the year was 2003 and it worked at 95% success rate using the cheapest technology available to me at the time (laser printer, tho, I needed text with no smudges). I stopped at that since mission was accomplished – I could readily archive plain vanilla ASCII text in reasonably large quantities (compared with anything better – like microfilms). I am pretty sure there are better faster more proprietary ways of doing that, but I am also pretty sure this is the bare minimum open source tech available to any average Sam, hence, it was a success.