1

I am aware of several ways QR code generators could pass "hidden" information "around" the QR spec. For example, if you can use the masking in a spec to ignore an area where you plan to put a logo, then you could just as easily put information there.

However, in any of these schemes, the "hidden" information would only be useful to someone who knows how to read "around" the spec too. For example, humans recognize logos as a visual language that has nothing to do with the QR code spec. But, for the QR code generator to pass info around the spec, something would have to read around the spec, which I'm not really worried about.

I'm more worried about the analog of a cookie or google analytics code or something that passes information about me when I use an online generator to create a QR code, but is never shown to me explicitly. For example, if the generator encoded their address and then my QR code reader (say in chrome on my phone), colluded to pass information back to the code generator about me (or my users of my code) when they scan it without showing that information to me or the user of my QR code. (Obviously, I could QR encode a link with query parameters in it or something that could be used to gather information, but I would see that when I create the link and my user would see that when they use the link (if they stop to actually inspect it)).

My concern is if there is any allowance in the spec for hidden information or if there's any known commercial practice between generators and scanners to collude in passing around information they don't show to me or my users.

[FYI, I originally posted here in Stack Overflow, before I heard of the security StackExchange.]

combinatorist
  • 113
  • 4
  • doesn't seem like they'd have any information to secretly pass around. If it's your IP, you could use an offline tool. A quick google gave me this: https://crunchify.com/java-simple-qr-code-generator-example/ – pcalkins Dec 08 '20 at 20:59
  • 1
    Even if the QR *code* didn't allow such behavior, there's always be the chance that the QR code *software* (generator or reader) leaks information in other ways, out-of-band (for example collecting URLs for statistical or marketing purposes). – reed Dec 09 '20 at 14:04

1 Answers1

1

It is possible to sneak some "steganography-alike" data in QR-code on encoding level. Example - intentionally invert some bits (squares) in data area of QR-code. They will be detected and silently corrected during read, therefore payload won't be affected, but you can identify modified bits and gain hidden knowledge i.e. from their position.

If you are afraid it is happening, simply read QR payload and encode it again - such encoding-level artifacts will disappear.

Do not be worried if you re-encode QR code content and find it completely different - most probably you are just using different error correction level in your encoder.

tomash
  • 126
  • 2
  • Wow - great point - I hadn't thought of that! Still, I think the point is, without developing the code myself, I'd have to trust some QR code generator at some point. Of course, I could use an open source library and be pretty sure (based on incentives and review) it isn't sneaking something in, but I can't be certain from the QR code protocol alone that a web QR generator isn't doing some steganography (btw, thanks for the word!). – combinatorist Feb 01 '21 at 16:06