QR codes have become a ubiquitous part of everyday life, whether you like them or not. But they can also pose a security risk, as you can’t see at a glance to which website they’re directing you. While scanner apps usually show which URL is hidden inside a QR code, the Google Camera app apparently goes a step further and tries to autocorrect URLs it deems wrong, leading to more problems than solutions.
As reported and investigated by German publication Heise, the Google Camera routinely runs into at least three distinct errors. The first one revolves around a few country-code top level domains (ccTLD), and it doesn’t matter if a QR code only directs you to an affected domain (like the non-existent Austrian https://fooco.at) or if it links to further directories (https://fooco.at/bar/index.htm). If the domain’s second level (fooco) ends with certain strings, the Google Camera will automatically insert a dot, turning a link like https://fooco.at into https://foo.co.at. Heise tested further combinations and found that the issue also exists for .au, .br, .hu, .il, .kr, .nz, .ru, .tr, .uk, and .za. The affected strings at the end of the second level include co, com, ac, net, org, gov, mil, muni, and edu, but not or, gv, and k12.
The second issue deletes some strings altogether, and again, only specific strings are affected. Here, the problem crops up for top-level domains that are longer than two signs (like the Catalonian .cat). Heise reports that the Google Camera swallows the strings following the initial two, turning something like the Catalonian independence referendum’s address (https://referendum.cat) into the non-existent Canadian address https://referendum.ca. The same problem exists for .int, .pro, .travel, .apple, .bet, .beer, and .amex, with almost all of these being cut down to the first two letters (.apple being the exception in turning into .app). The problem also affects newer TLDs like .army, .art, .arte, .arab, .audio, .audio, .auto, and .autos.
Security researcher Adrian Dabrowski discovered a third problem that affects numbers in the subdomain (usually the www part). Here, the Google Camera would once again arbitrarily add a dot, turning legitimate addresses like the Royal Bank of Canada’s https://www6.rbc.com into the 404-ing https://www.6.rbc.com. While you probably shouldn’t use a random QR code to access your online banking address, the problem might be more relevant for addresses like New York City’s https://www1.nyc.gov, which the Google Camera turns into https://www.1.nyc.gov.
If you want to go wild, you can even combine error 3 with error 1 or 2, turning addresses like https://www2co.at into https://www.2.co.at.
Heise cites security researcher Dabrowski who suspects that the issues might be related to a controversial change introduced in Chrome. The browser hides full URLs in the address bar for the sake of simplification, omitting some of the same parts as Google Camera. Just look up our address in Chrome’s address bar. You won’t see https://www.androidpolice.com/ — it will be androidpolice.com. While it’s understandable that Google tries to save as much space as possible when displaying URLs on small screens, these space-saving measures shouldn’t lead to errors carrying over into your browser, said Dabrowski.
However, the issue affects any browser, so even if you’ve got, say, Firefox set as your default browsing app on your Android 12 device, you’ll still be directed to the wrong link when you scan a QR code using Google Camera.
Google Camera only reads QR codes when you activate Google Lens suggestions in its settings, allowing you to “point your camera to scan QR codes and barcodes” using only the Google Camera app. Strangely enough, Heise reports that the Google Lens app itself works just fine for all kinds of QR codes and isn’t introducing any of the errors.
The problem can be a big deal, because it could potentially lead people to malicious websites purposely set up to take advantage of these Google Camera rules. While an attack like this might not reach too many people, setting up an unclaimed website is easy enough. It’s best to switch to Google Lens or a trusted QR code scanner such as ZXing Team’s Barcode Scanner until Google fixes the issue. Thankfully, most of the affected URLs are edge-cases, and it’s pretty unlikely that Pixel owners will routinely run into addresses like these in the first place, given that Pixels are officially only sold in a few countries mostly not affected by the TLD woes. And newly invented TLDs like .auto or .audio are still rare enough that they shouldn’t be a problem right now.
Heise was able to confirm its findings with the Pixel 3 XL, 3a, 4, 4a, 5, and 6 Pro on Android 12. A Pixel 3a running Android 11 didn’t exhibit the problem, but did after upgrading to the latest OS version. We can corroborate that with our own research on a Google Pixel 6 unit.
We’ve reached out to Google for comment.
Thanks: Nick
Read Next
About The Author
