Malicious QR codes combined with a permissive reader can put a computer's contents and user's privacy at risk. QR codes intentionally obscure and compress their contents and intent to humans.[19]They are easily created and may be affixed over legitimate QR codes.[20] On a smartphone, the reader's many permissions may allow use of the camera, full internet access, read/write contact data,GPS, read browser history, read/write local storage, and global system changes.[21][22][23]
Risks include linking to dangerous websites with browser exploits, enabling the microphone/camera/GPS and then streaming those feeds to a remote server, exfiltrating senstive data (passwords, files, contacts, transactions),[24] and sending email/SMS/IM messages or DDOS packets as part of a botnet, corrupting privacy settings, stealing identity,[25] and even containing malicious logic themselves such as JavaScript[26] or a virus.[27][28] These actions may occur in the background while the user only sees the reader opening a harmless webpage. [29]