T 5.177 Abuse of short URLs and QR codes

Websites are usually addressed via an URL (Uniform Resource Locator) which is therefore also referred to as a web address. The complexity of many websites results in relatively long web addresses which are hard to remember and cannot be displayed in one line, particularly on mobile end devices such as smartphones. For this reason, different methods have evolved to make the use of web addresses easier for users. Popular examples are short URLs and QR codes.

Short URLs

Short URLs refer to a widely used service in the Internet whereby long URLs are replaced by shorter URLs. Short URLs make it easier to follow references in magazine articles. Many articles in paper-based magazines refer to sources from the Internet or contain references to websites. Unlike with online articles, these have to be copied manually. Short URLs reduce the effort significantly. Short URLs consequently have certain advantages, but also some risks:

• Availability: Short URLs are resolved to the original web address without the need for user intervention via a database of a service provider which contains the original address. This database with the assignments between the short and the long URLs must be available. Large databases contain billions of entries. In case of a temporary or permanent failure of the database, billions of short URLs are useless. Furthermore, it may be the case that the previous provider of a service changes the terms and conditions of use so that it is no longer easily possible to use the short URLs generated via this service.
• Data privacy: The use of short URLs allows the provider of the service to trace which IP address accessed which site and when.
• Integrity: A short URL does not indicate its target. For this reason, short URLs are attractive for all forms of attacks which try to lure users to manipulated websites. For example, if a forged e-mail from a possibly known sender contains a short URL, there is a greater chance that the link will actually be clicked. Moreover, the database of the short URL provider could have been manipulated so that the short URLs no longer refer to their original target.

QR codes

Similar to barcodes, QR codes (Quick Response) are representations of data in machine-readable form. In this case these are typically squares in which information is stored in a standardised manner using patterns of smaller squares. QR codes are often found on products or consumer information and serve to refer users to additional sources of information which may be useful or interesting for them. The users must photograph or scan the relevant QR code first, with their smartphone for example. In addition, an application must be installed on the end device to resolve the information contained in the QR code such as URLs, addresses, phone numbers or WLAN access information. A frequent application scenario is QR-Codes on brochures, in which an URL is encoded, but they are also often used in industrial environments and in logistics.

QR codes are machine-readable with a high fault tolerance, but cannot be easily decoded by humans. For this reason, users cannot identify the information encoded in a QR code before scanning it. The threats are similar to those with short URLs. For example, QR codes on websites can refer to malware or chargeable service numbers. Moreover, QR codes can also contain information on the vulnerabilities in the operating system or the end device reading the code. For example, a QR code may contain program calls which lead to a buffer overflow or an injection attack.

Example:

• An attacker created a QR code that referred to an URL on a website which was infected with malware for a widely used smartphone operating system. She printed the code in a suitable format and pasted it over numerous QR codes on advertising columns and other advertising media at a well frequented technical conference. Numerous users scanned the QR code, which resulted in their smartphones to be infected with the malware and caused them to send chargeable text messages to a foreign service at the users' expense.