Google Camera update fixes an issue that randomly changed QR code URLs on Android 12

QR codes have become an ubiquitous part of everyday life, whether you like them or not. But they can also pose a security risk because you can’t see at a glance which website they’re directing you to. While scanner apps usually show which URL is hidden in a QR code, the Google Camera app apparently went a step further and tried to auto-correct URLs it deems wrong, which led to more problems than solutions.

Thankfully, Google reacted quickly and already provided a fix, just days after the story broke. The latest version of Google Camera no longer has the problem.

ANDROIDPOLICE VIDEO OF THE DAY

As reported and researched by the German publication Heise, Google Camera regularly encountered at least three separate errors. The first revolves around a few country code top-level domains (ccTLDs), and it doesn’t matter if a QR code only directs you to a relevant domain (like the nonexistent Austrian https://fooco.at) or if it points to other directories (https://fooco.at/bar/index.htm). If the second level of the domain (fooco) ends with certain strings, Google Camera automatically inserts a period, turning a link like https://fooco.at in https://foo.co.at. Heise has tested other combinations and found that the problem also exists for .au, .br, .hu, .il, .kr, .nz, .ru, .tr, .uk, and .za. Strings affected at the end of the second level include co, com, ac, net, org, government, mil, muni, and educated, But no or, gv, and k12.



Heise QR code misinterpreting Android 12
1 credit

The second issue completely removed some channels, and again only specific channels are affected. Here the problem arises for top-level domains that are longer than two letters (like Catalan .cat). Heise reports that Google Camera swallows the strings after the first two, turning something like the address of the Catalan independence referendum (https://referendum.cat) in non-existent Canadian address https://referendum.ca. The same problem exists for .int, .pro, .travel, .apple, .bet, .beer, and .amex, with almost all of these being reduced to the first two letters (.Apple being the exception by turning into .app). The problem also affects new TLDs like .army, .art, .arte, .arab, .audio, .auto and .autos.

Security researcher Adrian Dabrowski discovered a third issue that affected numbers in the subdomain (usually the www part). Here, Google Camera would once again arbitrarily add a period, transforming legitimate addresses like that of the Royal Bank of Canada. https://www6.rbc.com in the 404-ing https://www.6.rbc.com. While you probably shouldn’t use a random QR code to access your online banking address, the issue might be more relevant for addresses like New York. https://www1.nyc.gov, what the google camera turns into https://www.1.nyc.gov.

If you wanted to go wild, you could even combine error 3 with error 1 or 2, transforming addresses like https://www2co.at in https://www.2.co.at.

Image gallery (2 images)

Heise cites security researcher Dabrowski who suspects the issues could be tied to a controversial change introduced in Chrome. The browser hides full URLs in the address bar for simplicity, omitting some of the same parts as Google Camera. Just search for our address in Chrome’s address bar. You won’t see https://www.androidpolice.com/ – it will be androidpolice.com. While it’s understandable that Google tries to save as much space as possible when displaying URLs on small screens, these space-saving measures shouldn’t cause errors to pass into your browser, Dabrowski said.

However, the problem affected any browser, so even if you had, for example, Firefox set as the default browsing app on your Android 12 device, you would still be taken to the wrong link every time you scanned a QR code. using Google Camera.


Google Camera only reads QR codes when you enable Google Lens suggestions in its settings, which lets you “point your camera to scan QR codes and barcodes” using only the Google Camera app. Interestingly, Heise reports that the Google Lens app itself works great for all sorts of QR codes and doesn’t introduce any of the errors.

The problem could were a big deal because it potentially led people to malicious websites purposely created to take advantage of these Google Camera rules. While such an attack might not reach too many people, setting up an unclaimed website is fairly simple, at least if the domain in question actually exists (which many errors introduced do not). through Google Camera). Luckily, most of the affected URLs were edge cases, and it’s pretty unlikely that Pixel owners will regularly encounter addresses like these in the first place, given that Pixels are only officially sold in a few countries that don’t. are generally unaffected by the first error. And newly invented TLDs like .auto Where .audio are still rare enough not to pose a problem for the moment.


Heise was able to confirm his findings with the Pixel 3 XL, 3a, 4, 4a, 5, and 6 Pro on Android 12. A Pixel 3a running Android 11 did not exhibit the issue, but did after the upgrade to the latest version of the operating system. – we’re guessing this also triggered a Google Camera update. We can corroborate Heise’s findings with our own research on a Google Pixel 6 unit.

Fortunately, Google worked hard to resolve the issue quickly. Check the Play Store for a camera update to version 8.4.400.423370569.19, which no longer introduces these attempted fixes. If it is not yet available for you, you can also try downloading it from Mirror APK.

UPDATED: 2022/01/22 12:10 EST BY MANUEL VONAU

The problem was resolved

Google reacted quickly and provided a fix for the problem in a recent app update. The cover has been updated accordingly.

Thank you: Nick and Mikhail


Google’s next Chromecast would be better if it was super cheap – or super expensive

Beat the competition, one way or another

Read more


About the Author

Comments are closed.