QR code scanner security
-
If you scan a QR code which contains a link, Vivaldi automatically opens the link in a new tab. I cannot find an option that allows you to review the link before opening it. Please point me towards it if I missed it. I am using Android.
Due to the increased usage of QR codes for phishing, I think having at least the option to read the QR code contents in plain text before opening a potentially dangerous link is a must-have security feature. -
@dimi575 I don't scan QR codes with any app that I'm not really sure of what it will do with the info. Currently using Binary Eye which you can set up for what it will happen. A bit more tedious copy & pasting but
-
Normally, we would request you not to post on the forums if you have discovered a security issue; it puts people at risk because it tells an attacker what to do, without users being able to protect themselves yet. Report them directly to our bug tracking system so we can fix them and protect everyone. However, in this case, no harm done, so don't worry
We occasionally get reports about this (usually from researchers), but it is actually completely harmless behaviour, so I figured it would be safe to repeat our answer here so that others can see why it is not actually something bad.
The reason that most QR scanning apps ask whether you want to treat something as a URL is because they are designed to scan many different kinds of QR code. They could be a URL or text or a link to an app. Therefore it might be a surprise for it to open a browser, and they therefore ask if you really want to open a third party app.
In Vivaldi's case, the only reason to use the QR scanner is to open a web page URL. Therefore there is no reason to ask if you want to treat it as a URL.
Prompting would simply be a nuisance, and does not offer any kind of security protection. A prompt is not needed before opening a URL in any other way either, such as when tapping on a link on a website, but that has the same potential for things to happen. A user cannot tell if a URL will be good or not when tapping on a link. A user cannot tell what will actually load when seeing a redirect service's URL: https://tinyurl.com/safeyouthink
When you tap a link, you have no idea what will load because it could use several mechanisms to alter that. When you tap anything that has a JavaScript onclick handler, you have no idea what will load. You tap it and see. What loads can be completely different from any tooltip text. You wait for the page to load, and then you check the address field. Therefore this is not any worse than clicking a link. And you would not expect to click "OK, that's fine, go there" on a dialog when clicking a link, or having to focus the address field then press enter. You also would not want that to happen whenever the URL navigates via a series of redirects. The web would be unusable, so no browsers would do that.
In fact the QR scanner is better than clicking a link, because when a user taps the "scan a QR code to load a URL" button, they know full well that they cannot read the QR code, and will have to check the address field. They also know that they are trying to load a URL. Phishing is actually harder than when using a regular link, because regular links can do things like this:
<a href="http://good.com" onclick="window.open('http://evil.com','_self');return false;">
http://good.com</a>
The user taps that link, and they do not realise where it will end up, and they do not have any way to consent to it happening. And just to prove that this can happen, Google do it all the time with search results; you see a search result, hold your mouse over it, it shows http://the.search.result/ as the tooltip (on desktop), but when you actually click it, Google changes it so that it loads this, which in turn redirects you to where they said the link was going to point to:
https://www.google.com/url?a&load&of&url¶meters
This is considered perfectly normal and acceptable, and not a security issue. This is why you should always check the address field before you type anything sensitive into a form, so you can see what website you are on right now, not what website you thought a link was going to load. This is why the status field or link tooltip is not a security indicator in any way (and actually makes things worse) - only the address field and certificate dialog matter because they show you the actual address that loaded.The suggested "fix" actually makes phishing easier. It makes the user think they know what will load, when it could just redirect to something else, and it makes them less likely to read the address field when it actually loads.
The way the QR code scanner works does not put anyone at any risk. Not any more than loading any URL by tapping a link is a risk. As a result, we do not consider this to be a security issue, or a bug. It is intentional behaviour.
-
@tarquin
I can't agree with you.When I scan using BinEye, I can pass the result to a program like UrlCheck. It has its own lists and patterns to check Url security. And it shows the recognized link in its entirety, pointing out the problematic parts. That is, the user just has the opportunity to stop and think what happens in case the link is already passed to one of the browsers. Finally, I can choose from the browsers I have installed the most suitable Url for this. Maybe the most secure one. Or the one that will automatically open the link in private mode. Or one that automatically recognizes puny-code as Privacy browser. Or that can work with different web page encodings (yes, it still happens).
In any case, being able to stop and think about what that Url is is very useful. If I have a short link in front of me, I can pre-run it through a site that reveals such links. If the site is suspicious, I can google it beforehand, run the link through virustotal and similar checkers. And so on.
-
Passing a link to a third party checker is not at all helpful for security (though you may have uses for it). The link can conditionally redirect somewhere else when you use a real browser, so you can get a false result. And it means you have now fallen for the problem; you believe you know exactly where the link will end up, and you will fail to check it again.
But if you want to do that, that's fine, you can do so. Use a third party QR code scanner app, and do what you like with it. Just bear in mind that you absolutely cannot trust anything based on the URL you initially load. You can only trust the address field that shows a URL where you land.
You also have not checked every other URL that you loaded, whether that was tapping a link, tapping a form submit button, tapping on a random web page element, having the page use window.open, location.href or meta refresh. You seem to think a QR code is something extra special that you need to be especially scared of, when you load untrusted links all the time from websites and search engines. Actually, a QR code is the same as any of those things, and you use them every day without checking the URLs that will load first.
-
@tarquin - You seem to be saying that since criminals have so many ways that they can fool us with a normal webpage link, we should give up any attempts to discern whether a QR code has a high or low probability of being malicious. That would be faulty reasoning, because a lot of maliciousness that is easy to hide behind a QR code is easy to detect when it's decoded. Just being able to see that it's a trusted domain name would allay most concerns about potential maliciousness.
Previewing the URL could also reveal whether it contains data in a query string that compromises my privacy (e.g., identity and location tracking), and I could opt not to navigate to such a URL, or I could edit the query first... but only if I can see it first.
Previewing the URLs in QR codes would be such an easy option to provide, I don't know why the Vivaldi team doesn't just provide it. After all, extensive customizability is the primary benefit of using Vivaldi over other browsers.
You may say that I can simply install an extension to add a desired security feature, but then I have to deal with the possibility of the extension itself being malicious! One of the main advantages of having a feature built in is that I don't have to put my faith in some random developer. I already trust Vivaldi.
-
@viva2022 Think of a QR code as bitly URL (or any of the other URL-shorteners). You don't know where the bitly URL will end up (and the surrounding text is not necessarily accurate, either), and you can't know until you actually get to the site, and you also don't know that the QR code URL will go to your bank even if it starts with "mybank", the rest of the URL may be ".com.iamevilhaxor.foo/myevilhack" (translated into something completely nice and comfort sounding, of course).
You would not be able to tell reliably if it contains any tracker information, frequently all such information is encoded in a way that means you have to pick it too pieces (and even that might not work), and as Tarquin mentioned earlier this week in another thread, three English words can be used to identify trillions of unique individuals without anyone being any wiser by inspecting the URL.
For that matter, many (actually, most) URLs legitimately pass through many points on their way to the real site, especially if there is some payment involved (e.g. if you use the QR code on one advertisement, one company gets paid a bonus, if you use another a different company gets paid), and those URLs will NEVER go directly to a URL you will recognize as belonging to the site you think you are going to, it will belong either to the advertising agency, or a third-party site trusted by both to do accurate counting of URL usage (for reference, that is how ALL advertising URLs work, that clicked advertisement URL for Nike never go direct to NIke's web site). These URLs will be long, complex, and they will never contain the destination URL in plaintext, or even in encoded text, and the hostname will effectively be "you-have-never-heard-of-us-before-and-might-never-again.foo". IOW: inspecting the URL won't provide you any information about where you are going.
Only the simplest URLs (e.g the ones to threads here in the forums) go direct to the expected web site, most (especially advertisement, QR codes, bitly URLs) play several rounds of ping-pong around the planet before they finally load a web page. And you can't tell until you arrive whether or not you have arrived where you expected to arrive.
It is not a question of "criminals" doing this; it is a fact of life that today everybody (and their friend, brothers, sisters, aunt, uncles, parents, and grandparents, etc.) are doing it as part of doing business on the web.
Bottom line: You can never be sure where a URL will take you.
