Where is this QR Code taking me?

Posted on: August 6, 2013 | By: Christina Bonds | Filed under: Info Security

A URL (Uniform Resource Locator) is simply a website address. For example, http://www.elon.edu is a URL. When a URL is typed into a web browser, the browser turns it into an IP address. The IP address is where the website is located on the Internet.

QR (Quick Response) codes are bar codes that contain encoded information, like a URL. They can be found on packages, business cards, magazines, emails, posters, and other places. The information can be decoded by pointing your smartphone or device with a camera at the QR code using an app designed to read QR codes. A QR code gives a quicker way to get the URL into a web browser without having to type the URL yourself.

What is the risk?

Since the URL is embedded into the image, how do you know where you are actually going? Let’s say you are at the mall or an airport and you see a QR code advertising a new movie. You point your device to read the QR code, expecting it to take you to the movie trailer. While the advertisement is probably legitimate, criminals could have easily walked up to the advertisement and pasted a sticker with a QR code they created over the existing one. Now, any devices that would read the QR code would not take them to the movie trailer but to the site controlled by the attackers.


There are many apps that read QR codes. Be sure to use one that has security features such as allowing you to see the URL before going directly to the website.  Qrafter works well with an ipad mini.  Here are some to get you started.

How to Protect Yourself

1. Use an app that has the security feature to allow you see the URL before taking you to the website
2. Make sure the app has the security feature enabled
3. Inspect the QR code to make sure it is not a sticker

Try it out!

Using the QR code reader of your choice (security features enabled), point your device’s camera at the QR code below. It should take you to the URL for all of my blog posts.



Next Tuesday’s topic:  Shortened URLs

Previous post:  Anatomy of a phishing email

Christina Bonds

Christina Bonds, CISSP, is an Application Developer at Elon University

More Posts


Comments are closed.