Not sure but I think QR codes that hold wi-fi creds would more likely be automatically processed by phones. Seems like an adequate attack surface. Maybe dodgy creds could overflow or do some kind of DB attack. Or even legit creds could lead someone to connect to a malicious hot-spot captive portal that the attacker carries.
When my phone’s barcode reader app sees a web link, it fetches the page’s title to display next to the actual link. So it is going to that web server and fetching resources by itself. Even though it isn’t actually rendering the page and running javascript, it might be exploitable.
But that’s the barcode app - is it always running, looking for barcodes in all the photos you take? Because there are already shirt with giant barcodes on them - presumably just artistic with no meaning, but who knows?
Does anybody configure their phone to automatically scan photos for QR codes and visit the links?
Not sure but I think QR codes that hold wi-fi creds would more likely be automatically processed by phones. Seems like an adequate attack surface. Maybe dodgy creds could overflow or do some kind of DB attack. Or even legit creds could lead someone to connect to a malicious hot-spot captive portal that the attacker carries.
When my phone’s barcode reader app sees a web link, it fetches the page’s title to display next to the actual link. So it is going to that web server and fetching resources by itself. Even though it isn’t actually rendering the page and running javascript, it might be exploitable.
But that’s the barcode app - is it always running, looking for barcodes in all the photos you take? Because there are already shirt with giant barcodes on them - presumably just artistic with no meaning, but who knows?