Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What’s a QR Code?

Why you shouldn’t scan them recklessly.

A QR Code.
A QR Code. (Image: askleo.com)
QR codes are a nifty way to encode web addresses and other text in a way that's easy for your smartphone to decode, but they are not without risk.

During a recent televised sporting event, a company spent a lot of money to run an advertisement that was nothing more than the display of QR code, not unlike the one displayed above.

Apparently, against all common sense and with no regard for security, millions of people used it.

Why? What did it mean? What are you supposed to do with it, and how does it relate to security?

They’re actually pretty cool.

But they can also be weaponized, and you’d never know.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

QR codes

QR codes are text encoded in a machine-readable format so scanners and smartphones can easily decode them. They’re most often used to encode webpage URLs. Since there’s no easy way to ensure they point to a non-malicious webpage, be skeptical and use them with caution.

QR: Quick Response

A QR (for Quick Response) code is nothing more than text encoded in a machine-readable way. Seriously, that’s it.

Here’s the previous paragraph encoded as a QR code:

Paragraph encoded as a QR code.
Paragraph encoded as a QR code. (Screenshot: askleo.com)

Here’s the Gettysburg Address encoded as a QR code:

Gettysburg Address - QR Code version.
Gettysburg Address – QR Code version. (Screenshot: askleo.com)

And at the top of the page is a QR code for the URL “https://askleo.com”.

Using a QR code

QR codes are intended to be scanned by apps on smartphones and other devices.

Depending on your phone, you may need to install a dedicated QR code scanning app, or it may already be built into your phone’s camera software.

Here’s the QR code at the top of the page, as “seen” by the camera in my Pixel smartphone:

QR code in phone camera.
QR code in phone camera. Click for larger image. (Screenshot: askleo.com)

I’ve circled the text decoded by my camera. The camera previews the beginning of the decoded text if it can sense that it’s looking at a QR code.

If I were to tap on the text circled in red above, it would open the web browser on my phone and take me to that URL.

And that’s the general idea. While there are other uses, the primary intent is that you point your phone’s camera at a QR code, let it decode what it sees, and then go to the URL encoded within.

But there’s a risk.

Why millions of people were wrong to scan

You can’t tell what a QR code contains before you scan it. Many scanning apps only display the first part of what they find, so even the “preview” above could be incomplete. Some don’t preview at all and simply go.

Blindly scanning and using a QR code is like clicking on a link you can’t see. You have no idea where it will take you.

You have no idea whether it’s legit or dangerous.

Hackers and scammers know this.

Now, the QR code displayed in that TV add is very likely legitimate,1 as are those I’ve shown above.

But you just don’t know.

Using QR codes safely

Be skeptical. Like any URL you click on, make sure you trust the source.

If you don’t — if you’re not sure — then don’t. Get to the information it purports to represent some other, safer, way.

Creating QR codes

Many browsers now have controls allowing you to make a QR code for the URL currently displayed in your browser.

Edge creating a QR code.
Edge browser creating a QR code. Click for larger image. (Screenshot: askleo.com)

In addition, there are several QR code generators available on the web and in various applications.

Do this

Scan this QR code:

newsletter.askleo.com
newsletter.askleo.com

and subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: Although it did crash the servers at the target website because of the overwhelming volume.

20 comments on “What’s a QR Code?”

  1. It seems to me that the proper course is to install a QR Code-Reading App that displays the content of the QR Code — the whole QR Code — ALL of it — and then explicitly asks whether it should load the webpage (or otherwise “execute” the text).

    On an side matter, I have a question: You put the Gettysburg Address in a QR Code! So, just how much text is a QR Code able to hold?!?

    Reply
      • I have used zxing (zebra crossing) that can decode almost any bar codes in the past.
        I am currently using QrEasy

        Reply
    • My phone also did not have a built in QR scanner, so I installed “Trend Micro QRScanner”. The nice thing about this scanner is that it tries to verify the URL before asking if you want to navigate there (you can configure it to automatically navigate to URLs that it has determined are safe). There are plenty of legit sites that show up as “unverified”, but then you just have to use your judgement as to whether to continue.

      Reply
  2. First, let me say that this week’s articles are a welcome diversion from all the backup articles – not that backups are bad.

    One way of looking at QR codes and the software in your phone is that a QR code tells your phone to do something. That something may be bad. Remember how the original HTML evolved from a graphical rendition language to a full blown programming language that can do anything to your device? This is likely to happen with QR codes. Already QR codes (and the associated software) can send emails, dial phone numbers, detect and report your location, download apps, etc.

    Reply
  3. Be careful of those QR codes, especially if you see one on a sheet of paper (like a one page restaurant menu or a hand-out at your local retail store). A malicious person can easily make copies of the paper, remove the QR code if it had one, add their own QR code, and put the new copies on the counter. Also, be cautious if the QR code is attached with adhesive. The real QR code might be underneath (if there was one) and a malicious QR code could be stuck on top of it.

    Reply
  4. Is there a (free) QR program that you recommend to download on your desktop computer to help us generate copy as we develop that? I’d appreciate it. I tried generating some QR codes a while back and it showed funny pictures in the QR which I thought was weird so I just didn’t complete the project. Thanks Leo. I love your newsletters and you’re doing a great job (especially for us beginner non-geeky types). Denice

    Reply
  5. Hi Leo, Quick QR question not covered above. I have been seeing various commercials on TV w/ this kid of code embedded into the ad. Is it possible to scan or use a Smartiephone by pointing same at TV screen or on a monitor screen? I remember seeing these codes on grocery items too. They are similar to the price scan codes the cashier ‘reads’ w/ a hand held or counter embedded scanner but I never really knew what the Dickens they were. Many thanks for the answers above and the warnings too. I only use a laptop or desktop PC and I have no scanners and no Smartiephones. Happy Eastertide!- Jack/keimanzero
    Campbelltown/Palmyra PA

    Reply
  6. Thank you for the article. I always wondered about the QR, but refused to touse them as I suspected the security concerns. I rarely use my cell phone anyway and I am mostly at my desktop, so I have been safe. But, now, knowing this, I feel “safe”! Safe enough to avoid using them, unless I know the content text.

    Reply
  7. Leo
    I guess the QR codes are not for everyone. I am confused on why they are necessary?
    I have never used or need to use them, especially since you stated it may be a security issue with regards to what the QR codes may hold, malicious coding.
    So, Who can you trust if what you have stated is true?
    More like being blindfolded and walked towards a cliff, no really trust me, walk this way it’s all ok!

    Reply
  8. I believe QR codes came out several years ago (or they were made public at that time). I never saw them in use until recently and now they are all over. What happened?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.