- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
You must log in or register to comment.
I’d be flattered if someone actually wanted to film me with their phone. :(
I can’t think of a single phone that automatically opens links that are in QR codes. The worst it would do is just show a link to malware, wish you would have to manually click in order to download the malware.
AIs need to read it, so it could be a way to inject prompts on AI models.
This was a few years ago (so I hope there have been patches since then) but I watched a video which was trying to make an entire game within a QR code: they don’t have to just be links, they can be binaries that some devices will immediately run without question!
Quite the opposite. That video by mattkc (iirc) repeatedly and unequivocally says that to make this work, he made his pc save the binary and explicitly run it using a python script, because doing it natively would be fucking insane
You’re right, I must have been thinking of something else. Happily I can’t find any chatter about actual malware in QR codes (it’s all redirecting to malicious websites), though obviously there’s always the possibility of a new exploit being discovered.
The 3DS used to be hacked using a QR code that was scanned using the game cubic ninja (it used QR codes as a medium for sharing levels). The interpreter had a basic memory safety bug, so you could trigger a ROP chain using a malformed QR code to get ACE. This was of course voluntary by the user (and cubic ninja was hard to get because it was not a commercial success) but that qualifies, I guess.
Then they found out the 3ds browser uses a WebKit version from 2003 and nowadays you just go to a website lol
ACE on a WiiU is just as easy, at least with the Wii you had to use a game!
I believe this should work. At least some German emergency vehicles now come with filming protection.
The linked web page reads, “Attention! Rubbernecking kills!”
I’m not sure a pseudo QR code on the truck gives off the right message
I actually would really like to know, what it says and would make myself punishable by that
But I think, it looks so inviting to scan it…The way I see it there are two options:
-
You’re in a car and driving past that vehicle. If you don’t have your phone ready already, you won’t get it out in time and won’t be able to scan the code. You didn’t read the code and didn’t need to (because you weren’t rubbernecking).
-
You’re in a car with your phone already out (because you’re expecting a crash) or you’re a pedestrian who takes out their phone to film the crash site. You do read the code and you should see it, because you’re rubbernecking.
I was more thinking about not driving the car myself, but being driven as a passenger
Although it’s obviously a safety issue, when people turn away their focus to checkout a crash - no discussion about that - I was more thinking about the ethical issue of gaffing at injured people
-
Modern Day Medusa sounds like a cool band name
All fun and games until you open your camera app and it’s in selfie mode, instantly catching the QR code and bricks your own phone.
That makes no sense, cause why would you intentionally click on the link you inadvertently scanned to brick your own phone?
Because people are idiots and like to press buttons.
Source: me
Jobs @[email protected] got fired from:
ICBM launch control operator
Professional Mornington Crescent player
Explanation for people not familiar with the Radio 4 game show:
The game consists of each panellist in turn announcing a landmark or street, most often a London tube station. The ostensible aim is to be the first to announce “Mornington Crescent”. Interspersed with the turns is humorous discussion amongst the panellists and host regarding the rules and legality of each move, as well as the strategy the panellists are using. The actual aim of the game is to entertain the other participants and listeners with amusing discussion of the fictional rules and strategies.
Yes, you can play the obvious trump card on turn 1 and win but where’s the fun in that?
deleted by creator
Finally, we can build memetic hazards in real life
Wait until somebody actually makes brain implants!
But on the other hand, people have actively used memetic hazards for millennia. Want to star a nice, cozy witch hunt?
Ah, the Basilisk Hack.
(Nothing to do with Roko, btw.)
Getting closer to Snow Crash all the time.
I want a shirt that has a QR code that Rick rolls people.
Strongly reminds me of Old MacDonald Had a Barcode, E-I-E-I CAR. Basically put a standard anti-virus test string into various sorts of barcode and see what breaks.
Is this theoretically possible?
Well, yes. You could bury code or malicious data in an image, QR or otherwise, and leverage an exploit that during processing of the visual data within the camera subsystem or inter subsystem calls could hypothetically trigger an execution path that results in a different outcome than expected, all without user permission. There is a lot of sw and hw sec controls in play at internal system boundaries and it would be very very difficult to gain privilege enough to fist fuck a phone but not impossible.
With the outstanding level of FR, NFR and Sec testing that companies perform these days it is not likely to happen. It’s not like they push out minimal viable products or something, right? /S
Well that’s one layer, but when you decode a url, you’re probably going to get a url, and then it’s going to go to that url
So now you just made them to to a website. What’s there? Whatever you want. Maybe you ask them for Facebook/Google/GitHub or whatever authorization to see their name and email, which a lot of people would do. Then redirect them to a page saying “now I know who you are, delete the photo, <user>”
Or you could send them a payload based on fingerprinting their request, you could give them a fake page to steal their password, etc
Might have more luck displaying the https://en.m.wikipedia.org/wiki/EURion_constellation
So what? That only prevents people from editing the photo in certain programs like Adobe Photoshop.
Wasn’t this almost the plot line of Snowcrash?
deleted by creator
Not all Phones habe qr code detection in the camera mode
Most do. It’s the only reason they finally somewhat caught on after a rough start when users had to download an app in order to read the code.
Every smartphone I’ve had does but every one of them has also asked if I want to follow the link rather than just doing it.
Name one released in the last five years that doesn’t
Idk I use a Pixel with GrapheneOS Camera App
That’s custom software on custom firmware, which is very extraneous to the average consumer…
It’s also not a “released” phone in the sense that Google isn’t selling it in that state.
And those that do don’t download and run code willy-nilly.
So… Everything is a meme now? Screenshots of random text posts are memes?
