That article is stunningly light on actual substance, other than "you can generate QR codes with this repo" with a link to a repository that doesn't exist anymore. The best case they give for "issuing commands" is encoding a WiFi access point into a QR code. So you can encode a URL, or you can encode your WiFi data, because the data in a QR code is _literally text strings_. You could _possibly_ stick some malicious Javascript in it, but again, if your device is allowing JS to randomly exfiltrate data from your phone through your browser, something worse is going on.The actual statement from the FBI on this subject says "While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code." So the danger is really visiting malicious URLs, which was the entire point of my previous post.
No comments yet.