this post was submitted on 06 Jan 2025
562 points (98.0% liked)

memes

10932 readers
3191 users here now

Community rules

1. Be civilNo trolling, bigotry or other insulting / annoying behaviour

2. No politicsThis is non-politics community. For political memes please go to [email protected]

3. No recent repostsCheck for reposts when posting a meme, you can only repost after 1 month

4. No botsNo bots without the express approval of the mods or the admins

5. No Spam/AdsNo advertisements or spam. This is an instance rule and the only way to live.

Sister communities

founded 2 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 7 points 1 week ago (1 children)

Well, yes. You could bury code or malicious data in an image, QR or otherwise, and leverage an exploit that during processing of the visual data within the camera subsystem or inter subsystem calls could hypothetically trigger an execution path that results in a different outcome than expected, all without user permission. There is a lot of sw and hw sec controls in play at internal system boundaries and it would be very very difficult to gain privilege enough to fist fuck a phone but not impossible.

With the outstanding level of FR, NFR and Sec testing that companies perform these days it is not likely to happen. It's not like they push out minimal viable products or something, right? /S

[โ€“] [email protected] 1 points 1 week ago

Well that's one layer, but when you decode a url, you're probably going to get a url, and then it's going to go to that url

So now you just made them to to a website. What's there? Whatever you want. Maybe you ask them for Facebook/Google/GitHub or whatever authorization to see their name and email, which a lot of people would do. Then redirect them to a page saying "now I know who you are, delete the photo, "

Or you could send them a payload based on fingerprinting their request, you could give them a fake page to steal their password, etc