QR Code Hacking - I Placed 'Malicious' QR Codes Around My Local Area - Here's Who I Caught.

I remember doing the same thing just with USB’s around my school

Nalbennabeel

This, and malicious unsubscribe-links are two attack vectors that I'm surprised aren't utilized more than they currently are.

SweDownhill

I really liked this.

I did a deep-dive into QR codes a few years back for a project at work. Got to love them, made a product better and made the client happy.
This is all new to me, especially 'quishing' which sounds gross. You gave me new tools to play with, and renewed my interest in the mischief
I appreciate your style. I understand from whence it comes..

magic.marmot

Really a great watch and thanks for the demonstration. It is really another attack vector that not everyone is fully aware of and most people do just scan these QR Codes in the wild, without thinking first. This creates further awareness, thanks.

marekdworzanowski

dont feel bad, you are learning people some safety, you are doing a service to protect them in the future.
you should of used different codes for each instance to track what got the most hits lottery car wash ect ect to collect more efficient data

SeniorScriptKitty

You'd get tons of people if you put the QR code on tables outside of restaurants. So many restaurants use QR codes for ordering now, people just assume it's the menu.

hypercube

At least one of your QR codes should have redirected to Rick Astleys Never Gonna Give You Up.

aresinamorta.staring-atthe-sun

I wouldn't even scan a restaurant qr code menu.

hedgehogform

0:46 didnt know you were a fellow mineman brother

strbe

I actually think it's pretty funny that I'm stumbling across this video in my feed. I was thinking of doing the exact same thing in my area since there's a lot of trucks stops in my area and because of that, it's prime phishing hole

Psikeomega

I love dumb experiments. The true scientific method!

djoh

Were you able to see which posters got the most scans?

Bartlbees

I finally tracked you down bro I want my freaking car wash!

j.woodgard

Would've liked to hear more about whether the 16 people actually did anything that could've been exploited. imo, getting someone to tap 'browse to site' or whatever after scanning the qr code is relatively harmless. now if they enter valid credentials into your spoofed page, or downloaded a file of some type, that would be interesting. I didn't really see anything in the video that speaks to "who i caught" either.

Schneids

this is not entirely true, QRL jacking can only happen if the user scans the barcode in the specific app your are trying to hack, for example if you wanted to jack someone's Whatsapp you'd have to get the victim to scan the barcode in the app under "Add a device" which would require a lot of smart social engineering. so really the only thing an attacker could do is try to phish you or if he found an XSS vulnerability (which is VERY rare in the big services) he could do more dangerous things

daniel_

The tool I used used a lot more sites than that. If the service uses QR codes at all, it can be hijacked. I didn't use it for random though. Only used on criminals.

OneAndOnlyZekePolaris

my steam profile pic is a QR code that goes to a canary token, so many ppl in my cs games scan it, always funny to spook them with IP, geoip, and user agent info lol

Zachsnotboard

So i think solution to test this qr code in sandbox is good answet for this problem until qr code more using

CodeDdukDdak

what... you can hack someone's session by getting them to scan your QR code... oh dear, I often wonder if I have fallen victim to this.

patrickchan

Is it possible auto redirect QR once scanned to url without prompting users first

krivadnaaiservices