I encountered this for the first time today while attempting to read something on archive.today.
I confirmed that decoding the qrcode using a computer and following the URL it contains is insufficient; the error it gave directed me here which is what the linked screenshot is of.
The old type of captcha remains available too, for now:
OC writeup by @cypherpunks@lemmy.ml
They better not implement that shit as mandatory because:
My thoughts. All other issues aside, this sounds like a huge, unnercessary, attack vector.
I keep hearing about malicious QR codes, but how does it actually work? Unless there’s a serious vulnerability, how is it different from clicking on any link?
It has been a few years since I worked as a junior in offensive security, but that has been something I could never figure out when I looked into it.
Hmm, I guess you could use it for a pretty good phishing attempt. Just show a fake google login page and you’re set, or maybe a fake .apk download “to confirm the captcha”, but other than that, I don’t really see a vector of attack.
This example might shed some light on how malicious QR codes can work.
There’s a lot of car parks in my area which have had QR codes stickered to the payment meters, instructing people to use the QR code to pay for their parking. These are council or private car parks, but the code takes you to a site that accurately mimics a usual carpark payment site. So people think they’ve paid for parking, but have actually sent money to a scammer, and they also end up with a fine for non-payment from the entity that actually owns the carpark.
That is actually a valid point. It would create a new way to exploit users who don’t know any better.