The Privacy Issues behind QR Codes

QR codes can be found on flyers, on packaging and even on products themselves; they are everywhere. A small square box containing a maze-like pattern, a QR code is a “Quick Response code” that acts as a barcode to access information online. Usually, QR codes lead to URLs that prompt further action, such as receiving discount off a product from a certain shop. A simple Google search will lead you to multiple websites that can generate QR codes for you – regardless of size and colour – at no cost. Mobile apps that can capture QR codes and bring you to the content are just as common. The ease at which it can be created and understood has resulted in it becoming an ubiquitous sight.

A QR code can be classified as direct or indirect. A direct QR code refers to one that allows you straight route to gain the content embedded. Therefore, an indirect QR code requires other supporting equipment. Indirect QR codes need an internet connection, a specific scanner belonging to the company behind the QR code and may even incur costs.

Privacy Concerns

Alas, the benefits of a QR code are also the risks it carries. Since a QR code takes you to a URL, it could possibly lead you to malware. Such malicious software may be embedded in the website you have been brought to and secretly downloaded onto your device. All this invasion happens when we conveniently use a mobile app to capture a QR code without considering its source. One way in which such malicious QR codes are distributed is through a security compromise of marketing firms. The marketing firms in this case are those which offer the service of generating QR codes. Criminal hackers could access the QR codes meant for the clients and change them to malicious codes before they are published. Therefore when someone scans the malicious QR code to access information about the business, a Trojan virus is being downloaded as well. This Trojan virus can carry out tasks on the user’s device without his permission, such as obtaining data stored on a mobile device.

Cross-site scripting vulnerability is another security loophole by which attackers can go into legitimate websites and replace their QR codes with malicious ones. Malicious QR codes are scary indeed – they can steal sensitive information (e.g. passwords, locations), they can manipulate mobile devices to eavesdrop on conversations and even use its camera!

Example of an Attack

In 2011, Russian consumers gained first-hand experience of the threat of a malicious QR code. Disguised as a QR code leading to an Android app called Jim, the consumers had no idea they were downloading a malware at the same time. Once downloaded, the malware sent SMS codes to premium phone numbers. Each message costed the consumer 6 USD. Compared to other forms of privacy invasion, cases of QR code infections are still relatively low. However, we should still take precautions instead of scanning every QR code that we find without a second thought.


1) Aurnou, S. (2013). QR Codes Can Pose a Security Risk. Yes, Really… | The Security Retrieved 19 March 2015, from

QR Codes Can Pose a Security Risk. Yes, Really…

2) Geer, D. (2013). The dangers of QR codes for security. CSO Online. Retrieved 19 March 2015,



3) Hoffman, C. (2013). QR Codes Explained: Why You See Those Square Barcodes Retrieved 19 March 2015, from


4) Kaspersky Lab United States,. Kaspersky Personal & Family Security Software. Retrieved 19

March 2015, from


5) Kinnear, A. (2011). Andrew Kinnear | Digital Marketing Toronto.

Retrieved 19 March 2015, from


6) Roger,. (2011). Infected QR Codes Or Mashable Hype?. Retrieved 19 March 2015,


7) Suggett, P. QR Codes – The What, Why, How and When.. Money. Retrieved 19 March

2015, from


8) Waters, J. Security Risks that Come with Use of QR Codes – For Dummies.

Retrieved 19 March 2015, from


15 thoughts on “The Privacy Issues behind QR Codes

  1. Good! I’ve completely forgotten about this actually. QR codes are problematic because they actually disguise the url (the same reason why url shorteners are problematic) such that you can’t tell exactly where you’re going, or whether the url (go and look at our protocol lecture re: url structures if you’re lost) is malicious.
    IN ADDITION, most QR code readers are pieces of third-party software on your phone which you have to run in order to read the code. And usually what these pieces of software do is not entire clear (e.g. does it send any personal information to any third party?)


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s