Google is working on a fix for the Camera app randomly changing QR code URLs on Android 12
QR codes have become an ubiquitous part of everyday life, whether you like them or not. But they can also pose a security risk because you can’t see at a glance which website they’re directing you to. While scanner apps usually show which URL is hidden in a QR code, the Google Camera app apparently goes a step further and tries to automatically correct URLs it deems wrong, leading to more problems than solutions. Fortunately, Google is aware of the issue and is working on a fix.
As reported and researched by the German publication Heise, Google Camera regularly encounters at least three separate errors. The first revolves around a few country code top-level domains (ccTLDs), and it doesn’t matter if a QR code only directs you to a relevant domain (like the nonexistent Austrian https://fooco.at) or if it points to other directories (https://fooco.at/bar/index.htm). If the second level of the domain (fooco) ends with certain strings, Google Camera automatically inserts a period, turning a link like https://fooco.at in https://foo.co.at. Heise has tested other combinations and found that the problem also exists for .au, .br, .hu, .il, .kr, .nz, .ru, .tr, .uk, and .za. Strings affected at the end of the second level include co, com, ac, net, org, government, mil, muni, and educated, But no or, gv, and k12.
The second issue completely removes some strings and again only specific strings are affected. Here the problem arises for top-level domains that are longer than two letters (like Catalan .cat). Heise reports that Google Camera swallows the strings after the first two, turning something like the address of the Catalan independence referendum (https://referendum.cat) in non-existent Canadian address https://referendum.ca. The same problem exists for .int, .pro, .travel, .apple, .bet, .beer, and .amex, with almost all of these being reduced to the first two letters (.Apple being the exception by turning into .app). The problem also affects new TLDs like .army, .art, .arte, .arab, .audio, .auto and .autos.
Security researcher Adrian Dabrowski discovered a third issue that affects numbers in the subdomain (usually the www part). Here, Google Camera would once again arbitrarily add a period, transforming legitimate addresses like that of the Royal Bank of Canada. https://www6.rbc.com in the 404-ing https://www.6.rbc.com. While you probably shouldn’t use a random QR code to access your online banking address, the issue might be more relevant for addresses like New York. https://www1.nyc.gov, what the google camera turns into https://www.1.nyc.gov.
If you want to go wild, you can even combine error 3 with error 1 or 2, transforming addresses like https://www2co.at in https://www.2.co.at.
Heise cites security researcher Dabrowski who suspects the issues could be tied to a controversial change introduced in Chrome. The browser hides full URLs in the address bar for simplicity, omitting some of the same parts as Google Camera. Just search for our address in Chrome’s address bar. You won’t see https://www.androidpolice.com/ – it will be androidpolice.com. While it’s understandable that Google tries to save as much space as possible when displaying URLs on small screens, these space-saving measures shouldn’t cause errors to pass into your browser, Dabrowski said.
However, the issue affects any browser, so even if you have, for example, Firefox set as the default browsing app on your Android 12 device, you’ll still be taken to the wrong link when you scan a QR code there. Google Camera Help.
Google Camera only reads QR codes when you enable Google Lens suggestions in its settings, which lets you “point your camera to scan QR codes and barcodes” using only the Google Camera app. Interestingly, Heise reports that the Google Lens app itself works great for all sorts of QR codes and doesn’t introduce any of the errors.
The problem can be a big deal, as it could potentially lead people to malicious websites deliberately set up to take advantage of these Google Camera policies. Although an attack like this may not reach too many people, setting up an unclaimed website is quite simple. Better to switch to Google Lens or a trusted QR code scanner such as ZXing Team Barcode reader until Google fixes the problem. Luckily, most of the affected URLs are edge cases, and it’s pretty unlikely that Pixel owners will regularly encounter addresses like these in the first place, given that Pixels are only officially sold in a few countries that don’t. are generally unaffected by the woes of the TLD. And newly invented TLDs like .auto Where .audio are still rare enough not to pose a problem for the moment.
Heise was able to confirm his findings with the Pixel 3 XL, 3a, 4, 4a, 5, and 6 Pro on Android 12. A Pixel 3a running Android 11 did not exhibit the issue, but did after the upgrade to the latest version of the operating system. . We can corroborate this with our own research on a Google Pixel 6 unit.
Fortunately, Google is aware of the issue and is working on a fix. You may not have to put up with the broken links produced by the Camera app for too long.
UPDATED: 2022/01/21 06:40 EST BY MANUEL VONAU
A fix is in the works
We have since learned that Google is aware of the issue and is working on a fix. The cover has been updated accordingly.
Thank you: pseudo
Complete with offline capabilities
About the Author