QR code scanner security

dimi575

If you scan a QR code which contains a link, Vivaldi automatically opens the link in a new tab. I cannot find an option that allows you to review the link before opening it. Please point me towards it if I missed it. I am using Android.
Due to the increased usage of QR codes for phishing, I think having at least the option to read the QR code contents in plain text before opening a potentially dangerous link is a must-have security feature.

lfisk

@dimi575 I don't scan QR codes with any app that I'm not really sure of what it will do with the info. Currently using Binary Eye which you can set up for what it will happen. A bit more tedious copy & pasting but

Binary Eye

tarquin

Normally, we would request you not to post on the forums if you have discovered a security issue; it puts people at risk because it tells an attacker what to do, without users being able to protect themselves yet. Report them directly to our bug tracking system so we can fix them and protect everyone. However, in this case, no harm done, so don't worry

We occasionally get reports about this (usually from researchers), but it is actually completely harmless behaviour, so I figured it would be safe to repeat our answer here so that others can see why it is not actually something bad.

The reason that most QR scanning apps ask whether you want to treat something as a URL is because they are designed to scan many different kinds of QR code. They could be a URL or text or a link to an app. Therefore it might be a surprise for it to open a browser, and they therefore ask if you really want to open a third party app.

In Vivaldi's case, the only reason to use the QR scanner is to open a web page URL. Therefore there is no reason to ask if you want to treat it as a URL.

Prompting would simply be a nuisance, and does not offer any kind of security protection. A prompt is not needed before opening a URL in any other way either, such as when tapping on a link on a website, but that has the same potential for things to happen. A user cannot tell if a URL will be good or not when tapping on a link. A user cannot tell what will actually load when seeing a redirect service's URL: https://tinyurl.com/safeyouthink

When you tap a link, you have no idea what will load because it could use several mechanisms to alter that. When you tap anything that has a JavaScript onclick handler, you have no idea what will load. You tap it and see. What loads can be completely different from any tooltip text. You wait for the page to load, and then you check the address field. Therefore this is not any worse than clicking a link. And you would not expect to click "OK, that's fine, go there" on a dialog when clicking a link, or having to focus the address field then press enter. You also would not want that to happen whenever the URL navigates via a series of redirects. The web would be unusable, so no browsers would do that.

In fact the QR scanner is better than clicking a link, because when a user taps the "scan a QR code to load a URL" button, they know full well that they cannot read the QR code, and will have to check the address field. They also know that they are trying to load a URL. Phishing is actually harder than when using a regular link, because regular links can do things like this:
<a href="http://good.com" onclick="window.open('http://evil.com','_self');return false;">
http://good.com</a>
The user taps that link, and they do not realise where it will end up, and they do not have any way to consent to it happening. And just to prove that this can happen, Google do it all the time with search results; you see a search result, hold your mouse over it, it shows http://the.search.result/ as the tooltip (on desktop), but when you actually click it, Google changes it so that it loads this, which in turn redirects you to where they said the link was going to point to:
https://www.google.com/url?a&load&of&url&parameters
This is considered perfectly normal and acceptable, and not a security issue. This is why you should always check the address field before you type anything sensitive into a form, so you can see what website you are on right now, not what website you thought a link was going to load. This is why the status field or link tooltip is not a security indicator in any way (and actually makes things worse) - only the address field and certificate dialog matter because they show you the actual address that loaded.

The suggested "fix" actually makes phishing easier. It makes the user think they know what will load, when it could just redirect to something else, and it makes them less likely to read the address field when it actually loads.

The way the QR code scanner works does not put anyone at any risk. Not any more than loading any URL by tapping a link is a risk. As a result, we do not consider this to be a security issue, or a bug. It is intentional behaviour.

far4

@tarquin
I can't agree with you.

When I scan using BinEye, I can pass the result to a program like UrlCheck. It has its own lists and patterns to check Url security. And it shows the recognized link in its entirety, pointing out the problematic parts. That is, the user just has the opportunity to stop and think what happens in case the link is already passed to one of the browsers. Finally, I can choose from the browsers I have installed the most suitable Url for this. Maybe the most secure one. Or the one that will automatically open the link in private mode. Or one that automatically recognizes puny-code as Privacy browser. Or that can work with different web page encodings (yes, it still happens).

In any case, being able to stop and think about what that Url is is very useful. If I have a short link in front of me, I can pre-run it through a site that reveals such links. If the site is suspicious, I can google it beforehand, run the link through virustotal and similar checkers. And so on.

tarquin

Passing a link to a third party checker is not at all helpful for security (though you may have uses for it). The link can conditionally redirect somewhere else when you use a real browser, so you can get a false result. And it means you have now fallen for the problem; you believe you know exactly where the link will end up, and you will fail to check it again.

But if you want to do that, that's fine, you can do so. Use a third party QR code scanner app, and do what you like with it. Just bear in mind that you absolutely cannot trust anything based on the URL you initially load. You can only trust the address field that shows a URL where you land.

You also have not checked every other URL that you loaded, whether that was tapping a link, tapping a form submit button, tapping on a random web page element, having the page use window.open, location.href or meta refresh. You seem to think a QR code is something extra special that you need to be especially scared of, when you load untrusted links all the time from websites and search engines. Actually, a QR code is the same as any of those things, and you use them every day without checking the URLs that will load first.