Whoa, I need to recover from reading this. Where to even begin?? Asks for a phone number? Nonetheless, but a WhatsApp phone number? Hmm, a red flag, but it's nothing compared with the rest of the post. A friend asked me maybe two weeks ago to help him make a QR code for a restaurant menu since I deal with them a lot for work (it's actually not that difficult, see here). The generator I use is likely the safest in the market, with all bells and whistles, and I always tell anyone who asks - check the generator carefully before making a QR code, especially for business and especially if you plan to print it. Read the reviews. Look for security features. Plus, many advertise free codes, but it turns out - not really (people create, print, and then two weeks later - hello, pay a subscription if you want your code to work again). And I thought this was bad. But what I read now escapes reality. A big thanks to those who posted the archived copy, by the way.
It's easier to take precautions though. You probably don't have an insulated USB port or throwaway host device but handling QR codes safely just takes basic tech and skill.
Important advice:
Don't use apps that auto-open URLs in QR codes when pointed at!
Make sure the app shows the full content of the QR code and lets you peruse it indefinitely before you open the link!
Be extra suspicious if there is no URL printed next to the code, or if the printed URL is different.
Use an open source reader app (most QR codes don't contain secrets but it's got permission to use either camera!) that does not resolve Punycode (Unicode in TLDs).
Strip any tracking parameters you spot before following any URLs.
Be careful if the QR code could have been easily tampered with (on a sticker over the original one, or on a plain sheet of paper inserted into a plastic wrap together with the rest)
I think today's generation's equivalent is free Wi-Fi networks. Kids without mobile data in an area without an established public network will connect to just about any open one unless the SSID includes "LaserJet" or similar.
Strip any tracking parameters you spot before following any URLs.
If it's one of these QR codes at a restaurant for ordering, the parameters could possibly be necessary to properly connect your order to your table, depending on how they're set up.
I keep meaning to look more into how qr codes work. I always wondered if there were possible attack vectors if a bad actor exploited a flaw in the decoding of the image. My mind went to a zip bomb for no apparent reason (a tiny file that unzips to a massive amount of data on disk)
I would have abused this great and terrible power in just the same way he described. Random orders for random tables at random restaurants at random times in small quantities for as long as they aren't protected. Just enough to be an inconvenience/awkward but not enough to raise alarms.
And now I will check every QR code I scan at a restaurant.
In certain places like India, WhatsApp is the default means of communication for everyone.
You can use it without phone data if you are on wifi, it supports better quality than sms for sending images, you can video chat with it, it's cross platform, etc etc.
What's more amazing to me is that it's not more popular in western countries.
I know it's dominant, but it just sucks. To go back to the previous analogy, Whatsapp should have a monopoly on communication as much as BMW should have a monopoly on transportation.
It asked for your phone number? That is the thing that angered me the most. I wonder why you would share this rather than ask a waiter and say you don't have Whatsapp, for example.