Web Browser Exploitation Via Barcode Scanning

Jack over on his blog put together this nice follow-up post based on the NoVA Hackers Association meeting on Monday.


“Yes, you read that correctly. Until yesterday, I wasn’t very interested in barcode scanning software. Until @rybolov gave a short demo on barcodes and brought to my attention the fact that you can embed URLs in them. All it really took were the words “web” and “browser” to get my attention. Anyone that knows Mike in person has surely heard him rant at length about barcode security. There’s a chance he even mumbles stuff about barcodes in his sleep.

The only piece of software I have at my disposal is BeeTagg, which is a free Blackberry application. Using an open-source program called Zint, you can create your own barcodes. You can use BeeTagg to scan them using the camera on your phone.

To test this with Zint, you want to create a barcode using the QR Code symbology. Under the “general” tab, enter your URL within the “Data to Encode” field, as shown below:

Next, you want to save this as either a .png or a .svg file. This allows you to print your barcode and do whatever you want with it.

The barcode shown below links to my blog. Try scanning it using whatever barcode reading software you have:

BeeTagg will recognize the URL, but will not automatically follow it. Even with completely relaxed security permissions, a user will at least be prompted that a browser connection attempt was made. Of course you can use a URL shortening service to obfuscate the destination, but regardless a user at least has to click “Yes” in order to connect with their mobile browser. I haven’t been able to figure out how to bypass this requirement yet, at least on a Blackberry.



See the rest of the post over at the Jack Mannino blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.