Two-dimensional code sweep, it can be poisoned?

CCTV recently disclosed the risk of two-dimensional code, and some people on the concept of two-dimensional code and the risk of two-dimensional code is still ignorant, this article will share with you some of the relevant knowledge of two-dimensional code and improve the two-dimensional code to pay security skills, hope to be able to help

Two concepts need to be understood before increasing the security of two-dimensional code payments:

1. What's inside the two-dimensional code?

2. Why is it possible to be poisoned by a sweep?

To answer the first question first, there are probably some data in the two-dimensional code: Long text, short texts, Web addresses, business cards, geographic location information,WiFi configuration information, and so on .

Then there is the second question, first of all, to explain the concept of "poisoning". Poisoning is the same as illness, the virus needs is a survival and development of the environment, if the sweep code will be poisoned, then what is the environment? That is the code-scanning software and the operating environment of the code-scanning software (usually the mobile OS). In the current known two-dimensional code "virus" there are roughly the following 3 ways:

Phishing Web site, this is not strictly "virus", belonging to the social engineering threat category, users need only a little security awareness can effectively avoid being fooled. On the phone, opening a URL itself is safe in most cases, but the danger is staying on the open Web site and what the user has done. The user voluntarily enters the credit card number, the security code, the user voluntarily enters the payment Treasure user account number ... In addition, the Web site is not equal to the portal. For example, there is a special kind of URL, called the Pseudo protocol address, this also has the imagination space (but seemingly did not see the attack case), such as sms://, tel://, and so on, after these clicks, on different systems may open different applications, such as text messaging, telephone and so on.

Html/js mixed code, this is because many two-dimensional code software to provide the so-called intelligent content awareness and recognition, call the browser to explain the engine to host and process the code, in essence, "virus" provides a "hotbed", so will be "poisoned." However, in the current known attack cases, pure third-party two-dimensional code class application software even by these browser client malicious code attacks, in most cases, the user's impact is limited. In rare cases, it can occur in:

Malicious code directly attacks the browser interpretation engine, causing memory damage class attacks, direct access to the native application level of arbitrary code execution or even elevated permissions. The probability of this problem is much smaller than the probability that the PC-side browser suffers from the same type of attack. The main reason is: Most of the attack program requires a certain number of lines of code, and two-dimensional code of the capacity of the data is limited to the image coding capacity limit. The simple understanding is: The complex attack needs more lines of code, fewer lines of code can only achieve a simpler "attack", two-dimensional code due to its own design of the "flaw", can not provide malicious code storage necessary enough space, so the attack imagine space and impact of limited.

Custom two-dimensional code applications. Although the two-dimensional code itself is only the ordinary text data (numbers, characters, what), but some software to these data defines some of their own parsing rules, the purpose is to achieve after scanning code automatically xxx or automatic yyy. Bad is bad in this automated process, gives the data a second chance to become a virus. How to understand? reference to SQL injection, XSS, etc. in Web security is the most typical data one second variable virus reference case.

The top 3 categories of "virus", the first can be categorized as requiring user interaction to succeed virus, the latter two can be categorized as no user interaction can achieve "infection" virus.

The former is most common at the moment, and the latter both attack easily but have a very limited impact in most cases.

Coping styles are similar to the security problems of the Web age and require the joint efforts of several participants.

Scanning software vendors, when providing new applications based on two-dimensional codes, to secure the design and implementation of two-dimensional code recognition after the content of the analysis engine, the identification of the Web site can be integrated third-party security vendors to provide a URL blacklist query services to the known malicious Web site in advance to scan the code user alarm, and cancel the support of interactive behavior. In addition, sweep code software can provide a cool and shiny safe mode (in fact, the pure text mode), so that users with security awareness and ability to see what is, and then decide how to resolve the next step, whether to allow software automation to do XXX or automated yyy. Of course, to do products, but also in the user experience level more intelligent, so that users can be more fool some point "next".

Users to do, one to choose well-known two-dimensional code scanning software, two to avoid opening strange and strange URLs.

Security vendors, as well as now, what to do, more to scan software vendors do to promote the integration of your malicious Web site identification engine it. A little bit more, cloud sweep code, all two-dimensional code in the data, you first look at the cloud, bad content to disinfect it.

As for the future security of two-dimensional codes? Let us see the two-dimensional code in the future of what new applications, if no new applications, then the above content has covered the two-dimensional code virus causes and countermeasures. New applications? I've already predicted the third way.