• @Cypher@lemmy.world
    link
    fedilink
    English
    1610 months ago

    There are clickless exploits and other methods that don’t require you to enter information, nevermind that nearly all of these menus have ordering and payment available through them and mimicking websites is fairly simple.

    QR codes cannot be trusted just like links from unknown sources cannot be trusted.

    • gila
      link
      fedilink
      English
      610 months ago

      I think you’ll find there isn’t an Android or iPhone on the market today vulnerable to SQL injection or XSS etc via scanning a QR code. You’re talking about device vulnerabilities that get patched and it’s equally possible to encounter these exploits with plaintext URLs

      • @Cypher@lemmy.world
        link
        fedilink
        English
        910 months ago

        You’re talking about device vulnerabilities that get patched

        Patching out zero days takes time.

        it’s equally possible to encounter these exploits with plaintext URLs

        Yes which is why I clearly stated that following URLs from any unknown sources carries risk.

        The difference is that due to menus being a point of payment they have a greater incentive for abuse.

        • gila
          link
          fedilink
          English
          810 months ago

          So we shouldn’t use smartphone features if they could potentially have exploits? With this logic you shouldn’t have a phone.

          • @hemko@lemmy.dbzer0.com
            link
            fedilink
            English
            2
            edit-2
            10 months ago

            We shouldn’t replace perfectly good solutions with unreliable, cumbersome, insecure, annoying shitty tech just because.

            • @lolcatnip@reddthat.com
              link
              fedilink
              English
              210 months ago

              Thinking that simply visiting a web site for a business you’ve already decided to patronize is dangerous is some serious boomer logic.

              • @hemko@lemmy.dbzer0.com
                link
                fedilink
                English
                210 months ago

                If we only focus on the security part, how the do you know it’s even their site you’re visiting? Often those qr codes are just stickers on table, trivial to slap a new one there

                But it also adds a lot of annoyance for customers who came to eat food, not doomscroll on their fucking mobile phone

            • gila
              link
              fedilink
              English
              1
              edit-2
              10 months ago

              My whole point is that the perfectly good extant solutions are equally flawed. QR codes don’t create a situation where e.g mimicing a website is easier. It is already easy. It is not any more difficult to mimic a website with a fake domain name purposefully named in plaintext in a way to deceive.

              Literally the only difference is you are looking at letters, which you are confident in your ability to parse, with a code which you are not. A URL being short and easy to type doesn’t make it less likely to be malicious.

              The key thing to remember is that yours, my, everyone’s assessment of perceived risk is very incomplete. Your specific comfort with plaintext is itself a potential attack vector. So an approach to privacy/security where you simply avoid all possible circumstances with any perceived risk attached to them is a shitty approach. Engaging with an acceptable risk level is the only way to teach yourself vigilance.

              People recently started seeing QR codes everywhere and feel confronted by this new reality, that’s natural. But the truth is that this is fear of QR codes is irrational where it is not reconciled with the perceived risk of generally using the internet and following links. There might be a difference in the physical characteristics of the link format, but in terms of computer security the difference doesn’t matter.

              Just because some commenters here remember seeing a CVE in 2016, or read about QRgen one time, doesn’t mean QR code protocol is inherently vulnerable. It is in fact quite ridiculous to suggest that would be the case and all the manufacturers would continue to support it.

      • @Arcka@midwest.social
        link
        fedilink
        English
        410 months ago

        If the restaurant doesn’t have a good enough reputation that I couldn’t trust the QR they provided (which displays the URL so I can inspect it before launching the web browser), I also wouldn’t want to trust my health to eating there.

        It isn’t like some random thing you found on the sidewalk.

        • gila
          link
          fedilink
          English
          410 months ago

          I’m pretty sure these are just an echo of the same concerns people put forward when URLs first started being included in signage, due to general privacy/security concerns with the internet. Somehow we got through it!