S 5.173 Use of short URLs and QR codes

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: Head of Specialised Department, Head of IT

Websites are usually addressed via an URL (Uniform Resource Locator) which is therefore also referred to as a web address. The complexity of many webpages results in relatively long web addresses which are hard to remember and cannot be displayed in one line, particularly on mobile end devices such as smartphones. For this reason, different methods have evolved to make the use of web addresses easier for users. Popular examples are short URLs and QR codes.

Short URLs

Short URLs refer to a widely used service in the Internet whereby long URLs are replaced by shorter URLs. Short URLs can be compared to a link text in HTML, which can also be selected to be as short as required. Unlike such links to Internet pages, the assignment between short and long URL is stored in a database and thus cannot be easily recognised. Reasons for the fact that short URLs are widely used include, among others:

Besides all these advantages, however, short URLs may also entail threats (see T 5.177 Abuse of short URLs and QR codes). The employees of the organisation should be made aware of these problems. All employees should know that short URLs should be treated with caution.

So as to avoid being redirected to web pages other than those desired, the preview services made available by short URL providers can be used. There, the address hidden behind is displayed on the one hand and, on the other, a picture of the page. This function is also directly available as an extension for established Internet browsers. The preview function of short URLs should be used wherever possible. Providers of short URLs without a preview function should not be used. However, the preview function can be bypassed by iterative short URLs. Short URLs are called "iterative short URLs" when they themselves refer to another short URL (instead of a proper web page). Therefore, only short URL providers which prohibit iterative short URLs should be used, wherever possible. It is more difficult to prevent iterative short URLs across several providers from being used. As iterative short URLs do not serve a practical purpose except for attackers, users should not click on iterative short URLs in general.

The risk of being directed by short URLs to undesired or dangerous pages in the Internet can only be minimised, but not excluded. In order to prevent detrimental effects, it is absolutely necessary to have the current security updates for browsers and operating system installed and a virus scanner activated.

In addition to these safeguards, an organisation may decide that short URLs are too high risk and therefore must not be used. In this case, access to short URL service providers can be blocked, e.g. using corresponding filter rules.

Use of QR codes

In order to save users from having to type short URLs, WLAN access data, telephone numbers and other information for the users, QR codes (Quick Response Codes) are increasingly used. Here, data are coded in a picture, i.e. a square pixel pattern in most cases, in such a way that they can be reliably read by IT systems. For this purpose, it is necessary to photograph or scan the QR code using end devices such as smartphones with corresponding equipment in order to be able to read the information coded in it.

The specification of QR codes is disclosed and QR codes can be used without a licence and free of charge, and so they are now widely used. Classical QR codes can contain information of up to 2.953 bytes. QR codes have a high error tolerance; depending on the error correction level, between 7% and 30% of damaged information of a QR code can be reconstructed. In addition to the widely used QR codes, there are further developments, in which information can be stored (partially) in encrypted form, which have particularly small dimensions or in which pictures, texts or logos can be recognised.

The information stored in QR codes cannot simply be read by the users. Like for short URLs, this results in several threats (see T 5.177 Abuse of short URLs and QR codes). Users could, for example, read in a QR code on end devices, which codes for an URL which links to a website that has been infected with malicious software (malware). Thus, it must be ensured that no other action is automatically carried out on the end device after a QR code has been read in. For an URL, the address hidden behind it should be displayed first before the corresponding website is opened. In general, no telephone number should be called automatically nor an SMS sent after the code has been read in; users should only confirm outgoing calls prior to dialling.

The security management should therefore explain to the employees how to handle and use QR codes. Furthermore, only QR applications for which no action is automatically carried out after the QR codes have been read in, but which must be confirmed by the user in advance should be used on the end devices.

If information is to be disclosed to a small group of users, consideration can be given to encrypting the information stored. For example, secure QR codes (SQRC) can be used for this purpose. Here, the reading devices and/or IT systems used must, of course, also be able to decode them.

Review questions:

© Federal Office for Information Security. All rights reserved.