Can a QR code run malware? Canada requires proof of Vax via QR Code. Asking for a fren
(media.greatawakening.win)
Comments (17)
sorted by:
Short answer yes. Longer answer. The qr can link to a drop, or script address that "theoretically" could load some additional items.
I still won't get one, but the best approach I could think would be to look at how their app reads the code, then using the input part to figure a way to create the code in such a way that it will cause their reader to crash from an overflow or something.
Actually, given Canada's privacy act, even finding out if the app leaks data to 3rd parties would mean they are liable. (That lawsuit would be worth 100k, but that assumes the justice system here wasn't comped to the gills)
Or, assuming the app scanning the QR code itself has poor input sanitization (a very good assumption, btw), a specially crafted string could exploit the app itself.
It would be cool to fuzz the hell out of it and see what we can do. Maybe find a cheat code.
Will try to find the APK, I'm Alberta. Ontario is doing the same, we should find collaborators to try to break this thing.
Lol that would be hilarious
Never a bad idea to throw some sand in the gears..
The QR code’s that was ramped up in Australia via the jab and linked via an app to all business and gov. bodies, stores everything. If I needed to go to the doctor, before entering I MUST open the gov app where the QR lives and scan. It ‘checks me into that location’. When I’m seeing the dr. - any doctor- of late I don’t need to hand by over my ‘Medicare’ card as the system already has me at the surgery. My doctor- any doctor- via my Medicare card - now linked to my COVID checkin, shows the dr what my medical condition is, if I’ve been vaxxed, what tests I have had, recent illnesses etc. Upon leaving, I go back into gov app via the CV checkin and hit recent. It will indicate what time I entered the surgery and it will keep me at this location until I log out. Same for pharmacy. If you’re vaxxed, apart from essential services, or doctors, food outlets, your COVID certificate is there as well. This same app can register your vehicle, pay a parking fine, pay for boat license, pay your council rates, etc. It’s ALL connected. How convenient we thought to be able to pay the usual council and gov. fees etc. Now your every move is monitored. How many apps do you has? It was sold as being safe and convenient. Not having to line up to pay, just do it from the app. I hear that Hong Kong has been hit with another wet market disease killing people. Timing with China is very suspicious but if we have to go down that road again, the infrastructure is already in place.
Fuck me…can anyone say tattooed number on our wrist?
Sounds like a good reason to Hillary Clinton your cell phone
"I can only show you the door, you have to walk through it". The QR Code is the door, you have to open it, then step through.
Since the code is just an encoding of data or a web url, it cannot execute anything on its own. The app you use may have flaws in it that could allow a buffer overflow or the like though.
As to using it for vaccines, I've not probed anything like this yet. How I would program it would be my app uses encryption to encode personal information (name, dob, amountofjabs). I would then create the QR code from that. The counterapp would then read that code, decode it, and show the person how many jabs. I would hack this by either modifying the app to have a bogus amountofjabs before it goes to the qrcode creation as that would be the easiest point. If someone extracts the encryption method, they can just create their own qrcode, however encoding personal identification in prevents you from using someone else's code. I wouldn't be surprised if they rushed this and made it easier than the above though.
I am constantly amazed at the level of sophistication and knowledge of my fellow Pedes. Thank you!
So, first step is get APK, decompile and then find methods of attack.
My first step would be to get a couple of datasets/qrcodes then put them into a QR Reader site and determine if the data is raw or encrypted.
If it's encrypted, then I would attack the app at that point as I've never been good at dealing with encryption functions and prefer to just MITM the app before encryption/decryption. I haven't touched modern cell apps, but the tools used to be pretty good for taking apart Blackberry apps and such when I used those. Heard that they're not too horrible but don't know much about the process using the tools, or the tools required afterwards ala getting it signed so your cell phone doesn't have to use debug mode for normies to use and etc.
If the QR Code is not encrypted I would just work on making my own spoofer app/site that generates the appropriate QR code if I was able to determine all the elements with my dataset. The app may still need to go through some analysis though in the event of something like a nonstandard checksum method.
Getting the data is tricky, but yes that would also be a good approach.
The little bit I know about reading QR codes is that the larger the code the more fragile they are to start.
My initial search shows the government app as about 2 stars with mostly vaxxed reviews of false negatives.
I think making a QR code that would break the app might be enough where you just say that it's their fault the machine doesn't work.
Just make your own QR codes that links to a big middle finger picture. You won't get in but you'll get a laugh.
A QR code is the same thing as copying an internet link.
No code from the image is executed directly.
Hello, my name is Robert; drop table VaccineRecords haha. In reality they are using very crappy development for these things. Probably not that difficult to mess up or somehow link to a different URL that shows a sanitized page of what they want to see. Or do a dropper. Or login with a random healthcare provider creds and insert records or or or. but I wouldn't risk it. I may be tempted to Rick roll them tho. Plus they will fix all of that over time. The ultimate badass move would be for a certain state or country to declare sanctuary and just taint the well in a legal way.