Google Camera update fixes issue that randomly changed QR code URLs on Android 12
QR codes have become a ubiquitous part of everyday life,whether you like them or not. But they can also pose a security risk, as you can’t see at a glance to which website they’re directing you. While scanner apps usually show which URL is hidden inside a QR code, the Google Camera app apparently went a step further and tried to autocorrect URLs it deems wrong, leading to more problems than solutions.
Thankfully, Google has reacted quickly and has already provided a fix, just a few days after the story initially broke. The latest version of Google Camera doesn’t exhibit the problem anymore.
As reported and investigated by German publicationHeise, Google Camera routinely ran into at least three distinct errors. The first one revolves around a few country-code top level domains (ccTLD), and it doesn’t matter if a QR code only directs you to an affected domain (like the non-existent Austrianhttps://fooco.at) or if it links to further directories (https://fooco.at/bar/index.htm). If the domain’s second level (fooco) ends with certain strings, Google Camera will automatically insert a dot, turning a link likehttps://fooco.atintohttps://foo.co.at. Heise tested further combinations and found that the issue also exists for.au, .br, .hu, .il, .kr, .nz, .ru, .tr, .uk,and.za. The affected strings at the end of the second level includeco, com, ac, net, org, gov, mil, muni,andedu, but notor, gv,andk12.
The second issue deleted some strings altogether, and again, only specific strings are affected. Here, the problem crops up for top-level domains that are longer than two letters (like the Catalonian.cat). Heise reports that Google Camera swallows the strings following the initial two, turning something like the Catalonian independence referendum’s address (https://referendum.cat) into the non-existent Canadian addresshttps://referendum.ca. The same problem exists for.int, .pro, .travel, .apple, .bet, .beer,and.amex,with almost all of these being cut down to the first two letters (.applebeing the exception in turning into.app). The problem also affects newer TLDs like.army, .art, .arte, .arab, .audio, .auto, and .autos.
Security researcher Adrian Dabrowski discovered a third problem that affected numbers in the subdomain (usually thewwwpart). Here, Google Camera would once again arbitrarily add a dot, turning legitimate addresses like the Royal Bank of Canada’shttps://www6.rbc.cominto the 404-inghttps://www.6.rbc.com.While you probably shouldn’t use a random QR code to access your online banking address, the problem might be more relevant for addresses like New York City’shttps://www1.nyc.gov,which Google Camera turns intohttps://www.1.nyc.gov.
If you wanted to go wild, you could even combine error 3 with error 1 or 2, turning addresses likehttps://www2co.atintohttps://www.2.co.at.
Heise cites security researcher Dabrowski who suspects that the issues might have been related to a controversial change introduced in Chrome. The browserhides full URLs in the address barfor the sake of simplification, omitting some of the same parts as Google Camera. Just look up our address in Chrome’s address bar. You won’t seehttps://www.androidpolice.com/— it will beandroidpolice.com. While it’s understandable that Google tries to save as much space as possible when displaying URLs on small screens, these space-saving measures shouldn’t lead to errors carrying over into your browser, said Dabrowski.
However, the issue affected any browser, so even if you had, say, Firefox set as your default browsing app on your Android 12 device, you’d still be directed to the wrong link whenever you scanned a QR code using Google Camera.
Google Camera only reads QR codes when you activate Google Lens suggestions in its settings, allowing you to “point your camera to scan QR codes and barcodes” using only the Google Camera app. Strangely enough, Heise reports that the Google Lens app itself works just fine for all kinds of QR codes and isn’t introducing any of the errors.
The problemcouldhave been a big deal, because it potentially led people to malicious websites purposely set up to take advantage of these Google Camera rules. While an attack like this might not reach too many people, setting up an unclaimed website is easy enough — at least if the domain in question actually exists (which isn’t the case for many of the errors introduced through Google Camera). Thankfully, most of the affected URLs were edge-cases, and it’s pretty unlikely that Pixel owners would routinely run into addresses like these in the first place, given that Pixels are officially only sold in a few countries mostly not affected by the first error. And newly invented TLDs like.autoor.audioare still rare enough that they shouldn’t be a problem right now.
Heise was able to confirm its findings with the Pixel 3 XL, 3a, 4, 4a, 5, and6 Proon Android 12. A Pixel 3a running Android 11 didn’t exhibit the problem, but did after upgrading to the latest OS version — we presume that that also triggered a Google Camera update. We can corroborate Heise’s findings with our own research on aGoogle Pixel 6unit.
Luckily, Google worked hard to fix the problem quickly. Check the Play Store for a Camera update to version 8.4.400.423370569.19, which doesn’t introduce these attempted corrections anymore. If it isn’t available for you yet, you can also try downloading it over atAPK Mirror.
UPDATE: 2022/01/22 12:10 EST BY MANUEL VONAU
The issue has been fixed
Google has reacted quickly and provided a fix for the problem in a recent app update. The coverage has been updated accordingly.
Thanks:Nick & Mikhail
Broader branding hints at wider paid-tier ambitions
The note-taking app I should have used all along
Samsung’s making a bold move
Keep privacy a priority with the best VPNs
It’s time to sniff out the culprit
Navigate through galaxies of customization with Samsung’s One UI Home
