1 mo. ago • 97%

What's inside the QR code menu at this cafe?

peabee.substack.com What's inside the QR code menu at this cafe?

Let me scan it, what could possibly go wrong?

39 comments

scanning a random qr code has to be this generation's plugging in an unknown usb drive.

84
- I mean, unless somebody is burning browser zero days on random public QR codes I'm not too worried.
  
  53
  
  Browser zero days are some of the most valuable exploits in existence, so I highly doubt it would happen in practice
  
  6
- It's easier to take precautions though. You probably don't have an insulated USB port or throwaway host device but handling QR codes safely just takes basic tech and skill.
  
  Important advice:
  
  Don't use apps that auto-open URLs in QR codes when pointed at!
  
  Make sure the app shows the full content of the QR code and lets you peruse it indefinitely before you open the link!
  
  Know the structure of URLs and common pitfalls!
  
  Recommendations:
  
  Be extra suspicious if there is no URL printed next to the code, or if the printed URL is different.
  
  Use an open source reader app (most QR codes don't contain secrets but it's got permission to use either camera!) that does not resolve Punycode (Unicode in TLDs).
  
  Strip any tracking parameters you spot before following any URLs.
  
  Be careful if the QR code could have been easily tampered with (on a sticker over the original one, or on a plain sheet of paper inserted into a plastic wrap together with the rest)
  
  I think today's generation's equivalent is free Wi-Fi networks. Kids without mobile data in an area without an established public network will connect to just about any open one unless the SSID includes "LaserJet" or similar.
  
  28
  
  Strip any tracking parameters you spot before following any URLs.
  
  If it's one of these QR codes at a restaurant for ordering, the parameters could possibly be necessary to properly connect your order to your table, depending on how they're set up.
  
  5
  
  WiFi and cellular networks as well. Using cellular data without some kind of tunneling for traffic/dns is nuts IMO.
  
  4
  
  I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)
  
  2
- You just don't open the link
  
  8
- You would at least be able to examine the link first.
  
  5
- That's why this.
  
  3
Page not found :(

44
- Has been taken down. See archived copy
  
  56
  
  Probably smart to take it down. What he did could be construed as hacking.
  
  13
Absolute insanity.

I would have abused this great and terrible power in just the same way he described. Random orders for random tables at random restaurants at random times in small quantities for as long as they aren't protected. Just enough to be an inconvenience/awkward but not enough to raise alarms.

And now I will check every QR code I scan at a restaurant.

26
- That seems kinda fucked up. Why would you do something like that?
  
  I mean, I at least get fucking with people for money. Doing it for fun, not so much
  
  Also, anyone know what they meant with this line?
  
  I still loved my life so I didn't want to use the Google custom search API.
  
  2
  
  Because you can or to prove a point.
  
  As to the quoted text, I assumed it was a reference to not getting more deeply involved in it that would cause legal issues for himself.
  
  -1
I scanned the API calls to get all the details I needed. I did my thing and I was in.

25
- I was hoping for the Mr robot guy
  
  2
  
  I only trade in the finest, unadulterated, originals.
  
  2
Internet Archive to the rescue: https://web.archive.org/web/20240923091701/https://peabee.substack.com/p/whats-inside-the-qr-code-menu-at

Edit: oops, @ChaoticNeutralCzech@feddit.org beat me to it!

18
The main event here was pretty interesting, but I'd just like to say that

It asked me for my name and Whatsapp mobile number.

Why not just the mobile number. Do they also operate drive-ins that only accept BMWs?

17
- In certain places like India, WhatsApp is the default means of communication for everyone.
  You can use it without phone data if you are on wifi, it supports better quality than sms for sending images, you can video chat with it, it's cross platform, etc etc.
  
  What's more amazing to me is that it's not more popular in western countries.
  
  12
  
  It's the most common communication tool for friends and family in much of europe
  
  9
  
  I know it's dominant, but it just sucks. To go back to the previous analogy, Whatsapp should have a monopoly on communication as much as BMW should have a monopoly on transportation.
  
  5
  
  Gonna be honest I'd much prefer Signal to take off in this regard. In the US iMessage is the closest widely excepted equivalent, but if I'm gonna do WiFi IM, I want to know it is 100% verifiably private. Otherwise I might as well be using SMS/MMS.
  
  2
error 404: 'Page not found'

14
- Has been taken down. See archived copy
  
  29
Brilliant article - but it looks like it's now been removed. Would be impressive if someone at Dotpe got wind in such a short space of time...

11
- Huh, it was still working when I posted it one hour ago... unlucky I guess 🤷‍♂️
  
  7
It asked for your phone number? That is the thing that angered me the most. I wonder why you would share this rather than ask a waiter and say you don't have Whatsapp, for example.

4

You've viewed 39 comments.