Problems with QR Codes | Smart Thinking Solutions

Diana has written this week’s “Wednesday Bit” on QR Codes.

Last week I became aware of a significant problem with QR codes, which are used by many organisations and individuals to direct people to their websites or sales pages. Such codes have been in use now for many years. (BizTechReports, 2024)

However, QR codes can also be used by authenticator apps in the multifactor authentication process and they therefore contain sensitive personal information. The codes can be stored in email, cloud storage and messaging apps used in the enrolment process.

Although the problem is not widely known yet, it could become a problem in the future as bad actors work out how to access the information contained in the millions of codes generated so far. For example, Google Authenticator has been supporting QR codes for 12 years.

Accessing the data could be as simple as leaning over somebody’s shoulder and photographing the QR code being used for authentication.

A fix has been developed which will require everybody to re-enrol using new secure codes. These codes would be dynamic and only sent to the authenticator app. Software vendors will have to develop and deploy this, but the cost to industry could be vast in terms of staff time.

Identifying all the users affected by this would be very diffcult, as there could potentially be hundreds of millions of these codes out “in the wild”.

As we become aware of the vendors developing the fix, we shall notify those of our clients using that software. Other companies like ours will be doing the same thing, but it is likely that some clients are using software of which we are unaware. Please arrange for us to conduct an audit of your systems and software so that we have an up-to-date understanding of your exposure to risk.

We can then help users to re-enrol using the secure fixes provided by the software vendors.

If we start identifying what users have used multifactor authentication for, we can start to quantify the issues within our client base.

Smart Thinking – we do the research so you don’t have to!

Diana Catton MBA – by line and other articles

References

BizTechReports. (2024). Silent Sector Advises IETF of Major Vulnerability Related to QR Codes Used to Enroll Two-Factor Authentication Processes — BizTechReports. https://www.biztechreports.com/news-archive/2024/9/26/silent-sector-advises-ietf-of-major-vulnerability-related-to-qr-codes-used-to-enroll-two-factor-authentication-processes

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

References

Further Reading