How Are QR Codes Hacked? SQL Injections

Подписаться 458 тыс.

Просмотров 59 тыс.

50% 1

This video explains the meaning and functionality of QR codes, which have become an essential part of our lives. However, are they safe for users?
To know that and more about how QR codes work, their vulnerabilities,and how hackers can use them as their tool, watch the video right now!
#qrcode #qrcodes #hacking #hackers #sumsub
00:00 Intro
01:02 What is a QR code?
02:59 Who are we?
04:19 How does the QR code work?
08:06 What can a hacker do?
09:58 How does a hacker act during an attack
11:43 Conclusion
Sumsub - empowering compliance and anti-fraud teams to fight money laundering, terrorist financing, and online fraud.
More about us:
sumsub.com
/ sumsubcom
/ sumsubcom
/ admin

Наука

Опубликовано:

1 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 107

@Sumsubcom 2 месяца назад

Who scanned all the QR codes? What's your fav? Drop the meme

@oussama7132 2 месяца назад

wouldn't the devs be able to use parametrized queries or validate user input? can't they compare only the id and get the price from the db? and can't the qr codes be encrypted?

@anselminos5238 2 месяца назад

A developer can prevent this from doing damage by sanitizing the special characters in the data that is going to be inserted into the sql query. Sanitization is most commonly done by the library (code that the developer didn't write) that the developer uses to access the database, however if the developer isn't paying attention to how he is inserting the data into the sql query it may lead to the vulnerability displayed in the video which is known as an sql injection. As you mentioned, parametrized queries are the most common way the database libraries provide the possibility to insert data to the query without it being vulnerable to sql injections.

@vaggelis_best 2 месяца назад

Very nice points! I don't really know the answer but they sound like very good solutions to me👍

@jld3106 2 месяца назад

Can't you just use a simple length check on the variable or check if it fits into the scheme. Like is it a number? Or the simple escape checks already mentioned. This is so easily prevented. Also if it actually ever worked anywhere I bet you it was fixed in 30 minutes. And rolling out by then.

@lucaslothbrook5388 2 месяца назад

Im no expert but I didn't think it'd be this easy either and this could be prevented, gpt 3.5 pretty much says what these guys do.. "In summary, SQL injection vulnerabilities arise when user input is not properly sanitized or validated before being used in SQL queries, allowing attackers to manipulate the queries in unintended ways. It's crucial for developers to use parameterized queries or prepared statements and input validation to prevent SQL injection attacks."

@Sumsubcom 2 месяца назад

Well, parameterized queries are a reliable and at the same time simple protection against SQL injections. But it is important to remember that depending on the logic of the application, OS injections are also possible, where a different approach to processing user input is required.

@aw_dev 2 месяца назад

Input sanitization? This video makes no sense.

@heliorosa8148 2 месяца назад

it's garbage fear based shilling for their products

@Primeagen 2 месяца назад

This video makes sense. Now input sanitization is required to stop this type of attack

@Sumsubcom 2 месяца назад

Yup, control the input data. Never directly expose them.

@chiroyce 2 месяца назад

@@Primeagen This doesn't just apply to QR codes though, anywhere in any application input sanitization is a must.

@bjtaudio 2 месяца назад

Also prices come from the database, as they may change, the qr code doesn't need to change nor should it contain the price, no database designer would include the price in the qr code allowing an attacker to change the price or even change the behavior. Its programming madness. no one would be so stupid to allow this.

@lucaslothbrook5388 2 месяца назад

yeah totally... i thought a qr just contained a product ID. Things go on sale.... prices change, same qr.

@stevesteve8098 Месяц назад

LOL, clearly you have never worked on a programming team..... This sort of shit is sooooo common it is unbelievable.... and some of these ass clown programmers are pulling down >$150kusd a year....

@bjtaudio 2 месяца назад

My understanding is a qr code is used as a simple id code for a product, nothing else. As it is used to just identify just one item from a list of valid products from your database, if any other code including sql injection is attempted it would not work as your system simply will not use it, it just is looking for the product id and that is it. It would be stupid to design or allow a qr code to include sql code, to change critical database behavior, if it is attempted, it should be ignored, or come up with an invalid code error.

@1879heikkisorsa 2 месяца назад

😂 you clearly have not understood the issue. The problem here is that without proper input sanitation such a system is vulnerable by default. It's not a feature developers add, but a threat that is often forgotten.

@stevesteve8098 Месяц назад

LOL... you are clearly NOT a hacker..... or even appear to have the skills needed to think of how this is working. What is worse you just watched an instructional video.... of how to do it and you STILL could not get your head round it. You potentially have a strong Future in top Management. This is even more dangerous, if you consider that there are morons walking about with powerful hand held computers , scanning QR codes all over the place. It is what happens when simps or millennials think they are "rockstar" computer programmers. I worked in a company where one of their "ROCKSTAR" programmers was writing business systems so full of exploits it was embarrassing... I tried to point it out but no one was listening.... in the end I left.... he later left and went to work for a big retailer. as programmer lead.... I see his handy work all over their customer facing systems... The frighting thing is that MOST large businesses are NOT interested in doing things right., I have seen systems that are complete shells , where management evaluate screen graphics as an indication of "professionalism"/ They are not interested , if you show them 2 IDENTICAL screens. but the code behind one of them is full of exploits But If I made the one full of exploits have flashy shit or colour... that's the one they would pick.

@exe7936 2 месяца назад

Well idea is cool but almost all stores use bar code not qr codes

@stevesteve8098 Месяц назад

In 3rd world countries ... yes.... but not in Asia...

@petertrex 2 месяца назад

what is this video??? this does not make sense in at least shopping scenario, and likely for others. Why take QR payment for example? items in the stores are coded in standardized barcode, with only what item that is supposed to be, price data is in the POS system that asks for the price to DB. there is no way malicious actor can change price with QR code. also payment processors know these risks, so the payment authoriztion QR has 2 types. one where customer scan the store code and send the amount, which requires customer to show how much they send (apps prompt to show it to clerk) or the opposite, the store scans for your barcode with your UserID, again, not a QR, then the store system asks for the processing for said amount, the result will show up on customer's device. also if there are funny businesses, the payment will just error out like credit card gets rejected. don't get me wrong, SQL injection can be still possible if the system were configured in such a way so QR contains value that shouldn't be altered. But that kind of configuration needs to be configured per-store, per-item basis. so normal POS system with compatibility with payment processor is pretty safe from these kind of attacks. it will like I said, will reject the payment or error out. I think you are out of touch, and there were several mistakes in the vide. at least 5. Your videos are usually very good but not this one.

@lucaslothbrook5388 2 месяца назад

Even if a store used qr like this. if a qr only contains prod id and is compared to a db, how does this work at all? you change an id and it comes up as an error. Im so confused and this is a waste of time lol

@Sumsubcom 2 месяца назад

There are no uniform standards - you can see this even without a trained eye just by looking at the different types of data in QR codes - someone stores a URL, someone a unique long value, and somewhere a simple number. It is also worth not forgetting about vending machines, where the budget can be much lower and things can be even worse. Personally, in practice, we have encountered not only SQL injection but even OS injection

@SALTINBANK 2 месяца назад

Always wear white gloves to type steathly on the keyboard guys ...

@Sumsubcom 2 месяца назад

Yeah........... *felt attacked*

@SALTINBANK 2 месяца назад

@@Sumsubcom you won't ... just a Joke chill we are on the same side : i just don't like stereotypes but i understand it is for the show ...

@santotrafugante9180 2 месяца назад

That is definitely one good quality video that got me sticked to the screen wondering how. I m a programmer and still I haven't heard of that before

@stevesteve8098 Месяц назад

not surprising if you don't deal with databases...... This is SQL language.... and each database has a different version of the language. so for example If you are a C# ,C or C++ or java programmer you would NEVER see this.... unless you were working with databases.

@aaronrdaniels 2 месяца назад

Well done taking the time with the QR thumbnail

@Sumsubcom 2 месяца назад

Did you scan the other qr codes in the video? :)

@aaronrdaniels 2 месяца назад

@@Sumsubcom noooo thanks for the heads-up! i definitely wouldn’t have. Ur videos always go in my watch later list because I actually want to pay attention to the full thing. U dont just make background study videos 🖤

@worgle123 2 месяца назад

People who scanned that thumbnail QR 👇

@Sumsubcom 2 месяца назад

you're the coolest ones

@user-ec5bf5mi1p 2 месяца назад

Excellent video, I hope to recommend more!

@Sumsubcom 2 месяца назад

Thanks, will do!

@AlexisJunior 5 дней назад

Interesting, thanks!

@Ahmed-zg1iv 2 месяца назад

me trying to scan all Qr codes showed in the video 💀

@Sumsubcom 2 месяца назад

we love to leave hints

@miguelangelrodriguez8999 2 месяца назад

Thank you

@ChewyDrift Месяц назад

The hacker hacked the keyboard 😂

@sierragutenberg 2 месяца назад

bro thinks we're living in 2010, grocery stores aren't that stupid bud, everybody sanitizes their sql queries or uses some olm nowadays...

@juniper_b0nsai245 2 месяца назад

Love the channel - keep it up!

@Sumsubcom 2 месяца назад

Thanks man!

@sbcinema 2 месяца назад

Nice, free food for everyone 🙂

@MsHojat Месяц назад

I find that QR codes are typically just things like URLs or user names/ids/addresses; such as the case with COVID-19 vaccination QR codes. Seems a lot harder to hack the typical sort of uses like that. In theory injection could still be done, but only if there was no sanitation, and typical cases like URL accessers ("browsers") and apps that use user ids or what-not all have sanitation in them already, not required for the users/businesses to ever set up.

@joesmith942 2 месяца назад

As presented, this seems hypothetical. Are there examples of people changing prices or taking down a store? The risk/reward for cheap bananas seems skewed towards not attacking.

@stevesteve8098 Месяц назад

Yes......... and there are examples of hackers over pasting QR codes for car parking sites, where the user scans a QR code & downloads a malware app

@hixe 2 месяца назад

Dude, your video are usually great, but you are out of touch here. 100%.

@Philippians4.13Enjoyer 2 месяца назад

What do you mean

@hixe 2 месяца назад

@@Philippians4.13EnjoyerHe doesn't seem to understand how qr code actually work, they don't contain price data at all, and they are not identifier..

@aw_dev 2 месяца назад

Agreed.

@HedgehogGolf 2 месяца назад

@@hixe What do you mean? At 5:15 he says that in this hypothetical scenario the QR code stores only an identifier and not the price or anything like that.

@zekiz774 2 месяца назад

@@HedgehogGolf5:35 "and all this can fit into a QR code" I know what's meant, but is really misleading. This video isn't about QR codes but SQL injections

@forestcat512 2 месяца назад

Everything that comes from the user could potentially be dangerous, never trust the user is they way to go here. Also you said you wont be doing a tutorial on this and then continue to make a tutorial

@rj7855 2 месяца назад

I never saw a shop using QR codes for it's prices, every store uses good old bar codes with and EAN/UPC code and the encoding capacity of these codes are far to short for a SQL injection. Moreover any professional developer sanitizes any external input, long gone are the days of script kiddies developing retail solutions.

@rotechs 2 месяца назад

This video is fiction! Check out systems don't work that way! The price can't be changed by the QR code because the price is stored in the database which the scanning terminals only have read only access. Forget SQL injection because the data is always sanitised. At best, all you will get are errors if you dare scan a dodgy QR code and hopefully, it will trigger a store alarm in a secure environment! 😊 Also some cool self check out systems also have a scale to measure the total weight of items you checked out to ensure the weight corresponds with the weight of the items saved in the database. Forget about it.

@valters_eu Месяц назад

Interesting, Only if the cashier gets suspicious that a guy buys a TV for 0.01

@tiojoe_ 2 месяца назад

Your video had me on the edge of my seat, like waiting for a breath of fresh air! Your content is truly the pinnacle of excellence, and I always find myself eagerly anticipating each new release.

@Sumsubcom 2 месяца назад

That's so inspirational. Thank you very much. Our team is happy that you guys like our videos!

@goofballbiscuits3647 2 месяца назад

"An sql query is an entire language" ... What? ima head out. No one has been susceptible to sql injection in years, unless you have edit rights to a database, you aren't changing a thing in the database and QR codes are single data points well outside the perimeter of injecting sql. They are almost always a url nowadays. You won't have table names, credentials to get into any database or anything because no one does this with QR codes, and no decent company will be this dumb on this many levels. This video is clearly fearmongering piggybacking disinformation in order to plug a business. That's an unsub from me.

@Sumsubcom 2 месяца назад

QR codes more often represent an identifier when the data itself is in some database. For example, a QR code when entering a museum or transport will not contain the number of passes in the code itself. This reduces the risk of data forgery

@miteshvalvi1170 2 месяца назад

Awesome video sir

@Sumsubcom 2 месяца назад

Thanks from our big team :)

@amansaiyed5909 2 месяца назад

Sumsub next year completes 10 years for sumsub company 🎉

@lewisgraf6643 2 месяца назад

And what about barcodes?

@manu_ovg 2 месяца назад

Looks like we cant (at least not yet)

@KooLaidStudios 2 месяца назад

Can you do the same with barcodes?

@Sumsubcom 2 месяца назад

Thanks for idea, we'll think of it!

@RubensRainelli 11 дней назад

Sincerely I never seen a such dumb way to set prices in Italy... On the barcode there are only IDs and not prices... 😂

@yashfu 2 месяца назад

cool

@Chuckenudykdn0973 2 месяца назад

Acc live for these

@cameronrich2536 Месяц назад

Pretty sure flippers have screens... at least mine does

@matthieuobyrne4715 Месяц назад

at that point just dont scan anything and steal it

@EreminYaroslav 2 месяца назад

I think I got enough information to replicate that trick

@arcanondrum6543 2 месяца назад

_"Ignorance is strength"_ - 1984, a dystopian novel. There are many ignorant.. Their desire for shopping, convenience and personal security will enslave us all

@X-if9ny 2 месяца назад

This is one of the best tech channels if not the best on yt tbh. Highly underated. Watched about 5 videos so far. All top quality and deserve millions of views. Keep creating these amazing videos ❤

@Sumsubcom 2 месяца назад

Thank you very much!

@gillbates21 2 месяца назад

this is too advanced for regular ppl

@SREEKUMAR_B 2 месяца назад

Is is more over great hack, which is Quishing attack

@salutoitoi Месяц назад

If a programmer creates this code, he should no more be one, because that’s basic sense to not trust user input

@7heMech 2 месяца назад

Not first

@karimmirak2158 2 месяца назад

Who will scan an "unsafe" QR code made by unknown person ?!!!???

@Rey_del Месяц назад

People do. Make one with the tittle free food and see the number of people who would scan😢

@user-iw1lp5fq3q 2 месяца назад

I'm first

@XXfea 2 месяца назад

200 times less . . really? I never got beyond 100 and you guys are brainy tech folks? LOL

@mdshihab7967 2 месяца назад

I become a ethical hacker. I started learning python, please help me 😊

@Osman-mh6hm 2 месяца назад

Start reading banned books go to hack forums sites learn c++ c go learn more programming learn a It alot course learn about ai

@kaweesaemmanuel2481 2 месяца назад

Hello thanks for the work which laptop is good for ethenal hacking I to buy I start my leaning thanks

@turn-n-burn1421 2 месяца назад

This is neat, but way over my head.

@jeri6533 2 месяца назад

I didn’t even know it was possible!

2 месяца назад

too technical

@Nk.gaming12 2 месяца назад

Can hack Al

@Nk.gaming12 2 месяца назад

Hi sir want learn hacking please help me

@ebl-ock 2 месяца назад

You sound like a child but I'll try anyways, hacking is complicated and not very clear, basically hackers are creative programmers, just learn programming on projects that interest you f.a. Webdev and when you are good enough to understand basic concepts of how the internet, websites and computers work, and can work with them to a certain extent, you can look up stuff on "hacking" a popular example being SQL injections, and learn what they are and then you go from there, it's really not simple to just "hack" but learning these things is just helpful in general.