QR codes essentially just encode text, as long as you’re using a sensible QR code reader and check any URLs before opening them there’s minimal risk to scanning a QR code.
Respectfully I think this is a minimal attack vector in this case due to the limited character set of urls. But thanks for the callout, I didn’t know there was a name for this sort of attack.
Modern browsers happily show you the actual characters, while sending their encoded entities to the server. So, from a user perspective there is no ASCII limitation. Case in point: söhne.at (just some random website, I have no idea what they are or if they are legitimate)
They’d still resolve via DNS to an address in ASCII though, right? Wouldn’t that only be an issue if ICANN didn’t have a monopoly on DNS registration? i.e what we already depend on for a semblance of convenience without totally compromising opsec
I mean, generally speaking, just don’t click on random links. This is a random link. Qr codes are valuable but we’re conditioning society to just be cool with clicking on random shit without putting much thought into it.
I may have in the past put lyrics from “Never Gonna You Up” or links to the music video on YouTube in QR codes I printed on blank business cards and left them in public places around town.
Cool but I wouldnt exactly trust a random qr code
QR codes essentially just encode text, as long as you’re using a sensible QR code reader and check any URLs before opening them there’s minimal risk to scanning a QR code.
I still wouldn’t trust it because of homograph attacks.
Respectfully I think this is a minimal attack vector in this case due to the limited character set of urls. But thanks for the callout, I didn’t know there was a name for this sort of attack.
Modern browsers happily show you the actual characters, while sending their encoded entities to the server. So, from a user perspective there is no ASCII limitation. Case in point: söhne.at (just some random website, I have no idea what they are or if they are legitimate)
They’d still resolve via DNS to an address in ASCII though, right? Wouldn’t that only be an issue if ICANN didn’t have a monopoly on DNS registration? i.e what we already depend on for a semblance of convenience without totally compromising opsec
It utilizes punycode under the hood. The actual DNS entries still use ASCII.
Punycode enables you to encode any Unicode character as ASCII. Almost all browsers support this.
Oh is that like bankofarnerica.com or whatever, hoping the r and n look enough like an m for at least some people to click?
Or xss/sqli/etc attacks on vulnerable sites that don’t sanitize url query parameters
Or maybe a fraudulent signal app.
I mean, generally speaking, just don’t click on random links. This is a random link. Qr codes are valuable but we’re conditioning society to just be cool with clicking on random shit without putting much thought into it.
You could still enter the URL manually if you are concerned.
I may have in the past put lyrics from “Never Gonna You Up” or links to the music video on YouTube in QR codes I printed on blank business cards and left them in public places around town.