How Are QR Codes Hacked? SQL Injections

แชร์
ฝัง
  • เผยแพร่เมื่อ 23 ธ.ค. 2024

ความคิดเห็น • 109

  • @Sumsubcom
    @Sumsubcom  9 หลายเดือนก่อน +10

    Who scanned all the QR codes? What's your fav? Drop the meme

  • @oussama7132
    @oussama7132 9 หลายเดือนก่อน +34

    wouldn't the devs be able to use parametrized queries or validate user input? can't they compare only the id and get the price from the db? and can't the qr codes be encrypted?

    • @anselminos5238
      @anselminos5238 9 หลายเดือนก่อน +7

      A developer can prevent this from doing damage by sanitizing the special characters in the data that is going to be inserted into the sql query. Sanitization is most commonly done by the library (code that the developer didn't write) that the developer uses to access the database, however if the developer isn't paying attention to how he is inserting the data into the sql query it may lead to the vulnerability displayed in the video which is known as an sql injection. As you mentioned, parametrized queries are the most common way the database libraries provide the possibility to insert data to the query without it being vulnerable to sql injections.

    • @vaggelis_best
      @vaggelis_best 9 หลายเดือนก่อน

      Very nice points! I don't really know the answer but they sound like very good solutions to me👍

    • @jld3106
      @jld3106 9 หลายเดือนก่อน

      Can't you just use a simple length check on the variable or check if it fits into the scheme. Like is it a number? Or the simple escape checks already mentioned. This is so easily prevented. Also if it actually ever worked anywhere I bet you it was fixed in 30 minutes. And rolling out by then.

    • @lucaslothbrook5388
      @lucaslothbrook5388 9 หลายเดือนก่อน

      Im no expert but I didn't think it'd be this easy either and this could be prevented, gpt 3.5 pretty much says what these guys do.. "In summary, SQL injection vulnerabilities arise when user input is not properly sanitized or validated before being used in SQL queries, allowing attackers to manipulate the queries in unintended ways. It's crucial for developers to use parameterized queries or prepared statements and input validation to prevent SQL injection attacks."

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +2

      Well, parameterized queries are a reliable and at the same time simple protection against SQL injections. But it is important to remember that depending on the logic of the application, OS injections are also possible, where a different approach to processing user input is required.

  • @aw_dev
    @aw_dev 9 หลายเดือนก่อน +30

    Input sanitization? This video makes no sense.

    • @heliorosa8148
      @heliorosa8148 9 หลายเดือนก่อน

      it's garbage fear based shilling for their products

    • @Primeagen
      @Primeagen 9 หลายเดือนก่อน +8

      This video makes sense. Now input sanitization is required to stop this type of attack

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +10

      Yup, control the input data. Never directly expose them.

    • @chiroyce
      @chiroyce 9 หลายเดือนก่อน +1

      @@Primeagen This doesn't just apply to QR codes though, anywhere in any application input sanitization is a must.

  • @bjtaudio
    @bjtaudio 9 หลายเดือนก่อน +7

    Also prices come from the database, as they may change, the qr code doesn't need to change nor should it contain the price, no database designer would include the price in the qr code allowing an attacker to change the price or even change the behavior. Its programming madness. no one would be so stupid to allow this.

    • @lucaslothbrook5388
      @lucaslothbrook5388 9 หลายเดือนก่อน

      yeah totally... i thought a qr just contained a product ID. Things go on sale.... prices change, same qr.

    • @stevesteve8098
      @stevesteve8098 8 หลายเดือนก่อน

      LOL, clearly you have never worked on a programming team.....
      This sort of shit is sooooo common it is unbelievable.... and some of these ass clown programmers are pulling down >$150kusd a year....

  • @bjtaudio
    @bjtaudio 9 หลายเดือนก่อน +7

    My understanding is a qr code is used as a simple id code for a product, nothing else. As it is used to just identify just one item from a list of valid products from your database, if any other code including sql injection is attempted it would not work as your system simply will not use it, it just is looking for the product id and that is it. It would be stupid to design or allow a qr code to include sql code, to change critical database behavior, if it is attempted, it should be ignored, or come up with an invalid code error.

    • @1879heikkisorsa
      @1879heikkisorsa 9 หลายเดือนก่อน +1

      😂 you clearly have not understood the issue. The problem here is that without proper input sanitation such a system is vulnerable by default. It's not a feature developers add, but a threat that is often forgotten.

    • @stevesteve8098
      @stevesteve8098 8 หลายเดือนก่อน

      LOL... you are clearly NOT a hacker..... or even appear to have the skills needed to think of how this is working.
      What is worse you just watched an instructional video.... of how to do it and you STILL could not get your head round it.
      You potentially have a strong Future in top Management.
      This is even more dangerous, if you consider that there are morons walking about with powerful hand held computers , scanning QR codes all over the place.
      It is what happens when simps or millennials think they are "rockstar" computer programmers.
      I worked in a company where one of their "ROCKSTAR" programmers was writing business systems so full of exploits it was embarrassing...
      I tried to point it out but no one was listening.... in the end I left....
      he later left and went to work for a big retailer. as programmer lead.... I see his handy work all over their customer facing systems...
      The frighting thing is that MOST large businesses are NOT interested in doing things right., I have seen systems that are complete shells , where management evaluate screen graphics as an indication of "professionalism"/
      They are not interested , if you show them 2 IDENTICAL screens. but the code behind one of them is full of exploits
      But If I made the one full of exploits have flashy shit or colour... that's the one they would pick.

  • @petertrex
    @petertrex 9 หลายเดือนก่อน +8

    what is this video??? this does not make sense in at least shopping scenario, and likely for others.
    Why take QR payment for example? items in the stores are coded in standardized barcode, with only what item that is supposed to be, price data is in the POS system that asks for the price to DB. there is no way malicious actor can change price with QR code.
    also payment processors know these risks, so the payment authoriztion QR has 2 types.
    one where customer scan the store code and send the amount, which requires customer to show how much they send (apps prompt to show it to clerk) or the opposite, the store scans for your barcode with your UserID, again, not a QR, then the store system asks for the processing for said amount, the result will show up on customer's device.
    also if there are funny businesses, the payment will just error out like credit card gets rejected.
    don't get me wrong, SQL injection can be still possible if the system were configured in such a way so QR contains value that shouldn't be altered.
    But that kind of configuration needs to be configured per-store, per-item basis. so normal POS system with compatibility with payment processor is pretty safe from these kind of attacks.
    it will like I said, will reject the payment or error out.
    I think you are out of touch, and there were several mistakes in the vide. at least 5.
    Your videos are usually very good but not this one.

    • @lucaslothbrook5388
      @lucaslothbrook5388 9 หลายเดือนก่อน +1

      Even if a store used qr like this. if a qr only contains prod id and is compared to a db, how does this work at all? you change an id and it comes up as an error. Im so confused and this is a waste of time lol

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน

      There are no uniform standards - you can see this even without a trained eye just by looking at the different types of data in QR codes - someone stores a URL, someone a unique long value, and somewhere a simple number. It is also worth not forgetting about vending machines, where the budget can be much lower and things can be even worse. Personally, in practice, we have encountered not only SQL injection but even OS injection

  • @aaronrdaniels
    @aaronrdaniels 9 หลายเดือนก่อน +4

    Well done taking the time with the QR thumbnail

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +2

      Did you scan the other qr codes in the video? :)

    • @aaronrdaniels
      @aaronrdaniels 9 หลายเดือนก่อน

      @@Sumsubcom noooo thanks for the heads-up! i definitely wouldn’t have. Ur videos always go in my watch later list because I actually want to pay attention to the full thing. U dont just make background study videos 🖤

  • @exe7936
    @exe7936 9 หลายเดือนก่อน +8

    Well idea is cool but almost all stores use bar code not qr codes

    • @stevesteve8098
      @stevesteve8098 8 หลายเดือนก่อน +1

      In 3rd world countries ... yes.... but not in Asia...

  • @criticalgrower
    @criticalgrower 9 หลายเดือนก่อน +3

    That is definitely one good quality video that got me sticked to the screen wondering how. I m a programmer and still I haven't heard of that before

    • @stevesteve8098
      @stevesteve8098 8 หลายเดือนก่อน

      not surprising if you don't deal with databases......
      This is SQL language.... and each database has a different version of the language.
      so for example If you are a C# ,C or C++ or java programmer you would NEVER see this.... unless you were working with databases.

  • @hixe
    @hixe 9 หลายเดือนก่อน +57

    Dude, your video are usually great, but you are out of touch here. 100%.

    • @Philippians4.13Enjoyer
      @Philippians4.13Enjoyer 9 หลายเดือนก่อน +1

      What do you mean

    • @hixe
      @hixe 9 หลายเดือนก่อน +20

      ​@@Philippians4.13EnjoyerHe doesn't seem to understand how qr code actually work, they don't contain price data at all, and they are not identifier..

    • @aw_dev
      @aw_dev 9 หลายเดือนก่อน +6

      Agreed.

    • @HedgehogGolf
      @HedgehogGolf 9 หลายเดือนก่อน +3

      @@hixe What do you mean? At 5:15 he says that in this hypothetical scenario the QR code stores only an identifier and not the price or anything like that.

    • @zekiz774
      @zekiz774 9 หลายเดือนก่อน +8

      ​​@@HedgehogGolf5:35 "and all this can fit into a QR code"
      I know what's meant, but is really misleading. This video isn't about QR codes but SQL injections

  • @SALTINBANK
    @SALTINBANK 9 หลายเดือนก่อน +11

    Always wear white gloves to type steathly on the keyboard guys ...

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +1

      Yeah........... *felt attacked*

    • @SALTINBANK
      @SALTINBANK 9 หลายเดือนก่อน

      @@Sumsubcom you won't ... just a Joke chill we are on the same side : i just don't like stereotypes but i understand it is for the show ...

  • @mhmrules
    @mhmrules 2 หลายเดือนก่อน

    What do if I have a link to my website attached to a QR code? Right now I want to put it on all of the print material (postcard and business card sized adverts) and put it where I can (ex. Coffee Shops, Gyms, Local stores). I get the feeling that this is a bad idea, and I'd like to know what I can do instead of this. I'm open to SERIOUS suggestions.

  • @HESHUI-g9k
    @HESHUI-g9k 9 หลายเดือนก่อน

    Excellent video, I hope to recommend more!

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน

      Thanks, will do!

  • @goofballbiscuits3647
    @goofballbiscuits3647 9 หลายเดือนก่อน +4

    "An sql query is an entire language" ... What?
    ima head out. No one has been susceptible to sql injection in years, unless you have edit rights to a database, you aren't changing a thing in the database and QR codes are single data points well outside the perimeter of injecting sql. They are almost always a url nowadays. You won't have table names, credentials to get into any database or anything because no one does this with QR codes, and no decent company will be this dumb on this many levels.
    This video is clearly fearmongering piggybacking disinformation in order to plug a business. That's an unsub from me.

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน

      QR codes more often represent an identifier when the data itself is in some database. For example, a QR code when entering a museum or transport will not contain the number of passes in the code itself. This reduces the risk of data forgery

  • @worgle123
    @worgle123 9 หลายเดือนก่อน +3

    People who scanned that thumbnail QR
    👇

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +1

      you're the coolest ones

  • @AlexisJunior
    @AlexisJunior 7 หลายเดือนก่อน

    Interesting, thanks!

  • @juniper_b0nsai245
    @juniper_b0nsai245 9 หลายเดือนก่อน +4

    Love the channel - keep it up!

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +1

      Thanks man!

  • @tiojoe_
    @tiojoe_ 9 หลายเดือนก่อน +7

    Your video had me on the edge of my seat, like waiting for a breath of fresh air!
    Your content is truly the pinnacle of excellence, and I always find myself eagerly anticipating each new release.

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +1

      That's so inspirational. Thank you very much. Our team is happy that you guys like our videos!

  • @rotechs
    @rotechs 9 หลายเดือนก่อน +1

    This video is fiction! Check out systems don't work that way! The price can't be changed by the QR code because the price is stored in the database which the scanning terminals only have read only access. Forget SQL injection because the data is always sanitised. At best, all you will get are errors if you dare scan a dodgy QR code and hopefully, it will trigger a store alarm in a secure environment! 😊 Also some cool self check out systems also have a scale to measure the total weight of items you checked out to ensure the weight corresponds with the weight of the items saved in the database. Forget about it.

  • @sierragutenberg
    @sierragutenberg 9 หลายเดือนก่อน +2

    bro thinks we're living in 2010, grocery stores aren't that stupid bud, everybody sanitizes their sql queries or uses some olm nowadays...

  • @MsHojat
    @MsHojat 8 หลายเดือนก่อน

    I find that QR codes are typically just things like URLs or user names/ids/addresses; such as the case with COVID-19 vaccination QR codes. Seems a lot harder to hack the typical sort of uses like that. In theory injection could still be done, but only if there was no sanitation, and typical cases like URL accessers ("browsers") and apps that use user ids or what-not all have sanitation in them already, not required for the users/businesses to ever set up.

  • @Ahmed-zg1iv
    @Ahmed-zg1iv 9 หลายเดือนก่อน +2

    me trying to scan all Qr codes showed in the video 💀

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน +2

      we love to leave hints

  • @forestcat512
    @forestcat512 9 หลายเดือนก่อน +1

    Everything that comes from the user could potentially be dangerous, never trust the user is they way to go here. Also you said you wont be doing a tutorial on this and then continue to make a tutorial

  • @valtersIT
    @valtersIT 8 หลายเดือนก่อน

    Interesting, Only if the cashier gets suspicious that a guy buys a TV for 0.01

  • @ChewyDrift
    @ChewyDrift 8 หลายเดือนก่อน

    The hacker hacked the keyboard 😂

  • @lewisgraf6643
    @lewisgraf6643 9 หลายเดือนก่อน +1

    And what about barcodes?

    • @manu_ovg
      @manu_ovg 9 หลายเดือนก่อน +1

      Looks like we cant (at least not yet)

  • @X-if9ny
    @X-if9ny 9 หลายเดือนก่อน +1

    This is one of the best tech channels if not the best on yt tbh. Highly underated. Watched about 5 videos so far. All top quality and deserve millions of views. Keep creating these amazing videos ❤

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน

      Thank you very much!

  • @joesmith942
    @joesmith942 9 หลายเดือนก่อน

    As presented, this seems hypothetical. Are there examples of people changing prices or taking down a store? The risk/reward for cheap bananas seems skewed towards not attacking.

    • @stevesteve8098
      @stevesteve8098 8 หลายเดือนก่อน

      Yes.........
      and there are examples of hackers over pasting QR codes for car parking sites, where the user scans a QR code & downloads a malware app

  • @rj7855
    @rj7855 9 หลายเดือนก่อน

    I never saw a shop using QR codes for it's prices, every store uses good old bar codes with and EAN/UPC code and the encoding capacity of these codes are far to short for a SQL injection.
    Moreover any professional developer sanitizes any external input, long gone are the days of script kiddies developing retail solutions.

  • @arcanondrum6543
    @arcanondrum6543 9 หลายเดือนก่อน +5

    _"Ignorance is strength"_ - 1984, a dystopian novel. There are many ignorant.. Their desire for shopping, convenience and personal security will enslave us all

  • @sbcinema
    @sbcinema 9 หลายเดือนก่อน +1

    Nice, free food for everyone 🙂

  • @RubensRainelli
    @RubensRainelli 7 หลายเดือนก่อน

    Sincerely I never seen a such dumb way to set prices in Italy... On the barcode there are only IDs and not prices... 😂

  • @KooLaidStudios
    @KooLaidStudios 9 หลายเดือนก่อน

    Can you do the same with barcodes?

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน

      Thanks for idea, we'll think of it!

  • @miguelangelrodriguez8999
    @miguelangelrodriguez8999 9 หลายเดือนก่อน

    Thank you

  • @salutoitoi
    @salutoitoi 8 หลายเดือนก่อน

    If a programmer creates this code, he should no more be one, because that’s basic sense to not trust user input

  • @amansaiyed0
    @amansaiyed0 9 หลายเดือนก่อน

    Sumsub next year completes 10 years for sumsub company
    🎉

  • @miteshvalvi1170
    @miteshvalvi1170 9 หลายเดือนก่อน

    Awesome video sir

    • @Sumsubcom
      @Sumsubcom  9 หลายเดือนก่อน

      Thanks from our big team :)

  • @cameronrich2536
    @cameronrich2536 8 หลายเดือนก่อน

    Pretty sure flippers have screens... at least mine does

  • @matthieuobyrne4715
    @matthieuobyrne4715 8 หลายเดือนก่อน

    at that point just dont scan anything and steal it

  • @user-random-1
    @user-random-1 9 หลายเดือนก่อน

    I think I got enough information to replicate that trick

  • @gillbates21
    @gillbates21 9 หลายเดือนก่อน

    this is too advanced for regular ppl

  • @XXfea
    @XXfea 9 หลายเดือนก่อน +1

    200 times less . . really?
    I never got beyond 100
    and you guys are brainy tech folks? LOL

  • @v1991c
    @v1991c 2 หลายเดือนก่อน

    the amount of work that goes into these videos, is it worth the investment? (money-wise)

  • @SREEKUMAR_B
    @SREEKUMAR_B 9 หลายเดือนก่อน

    Is is more over great hack, which is Quishing attack

  • @GGjeri
    @GGjeri 9 หลายเดือนก่อน

    I didn’t even know it was possible!

  • @mdshihab7967
    @mdshihab7967 9 หลายเดือนก่อน +1

    I become a ethical hacker. I started learning python, please help me 😊

    • @Osman-mh6hm
      @Osman-mh6hm 9 หลายเดือนก่อน

      Start reading banned books go to hack forums sites learn c++ c go learn more programming learn a It alot course learn about ai

    • @kaweesaemmanuel2481
      @kaweesaemmanuel2481 8 หลายเดือนก่อน

      Hello thanks for the work which laptop is good for ethenal hacking I to buy I start my leaning thanks

  • @turn-n-burn1421
    @turn-n-burn1421 9 หลายเดือนก่อน

    This is neat, but way over my head.

  • @yashfu
    @yashfu 8 หลายเดือนก่อน

    cool

  • @Chuckenudykdn0973
    @Chuckenudykdn0973 9 หลายเดือนก่อน

    Acc live for these

  • @karimmirak2158
    @karimmirak2158 9 หลายเดือนก่อน

    Who will scan an "unsafe" QR code made by unknown person ?!!!???

    • @fideledem
      @fideledem 8 หลายเดือนก่อน

      People do. Make one with the tittle free food and see the number of people who would scan😢

  • @PlainCrow
    @PlainCrow 9 หลายเดือนก่อน

    I'm first

  • @7heMech
    @7heMech 9 หลายเดือนก่อน

    Not first

  • @Nk.gaming12
    @Nk.gaming12 9 หลายเดือนก่อน +1

    Can hack Al

  • @Nk.gaming12
    @Nk.gaming12 9 หลายเดือนก่อน +1

    Hi sir want learn hacking please help me

    • @ebl-ock
      @ebl-ock 9 หลายเดือนก่อน

      You sound like a child but I'll try anyways, hacking is complicated and not very clear, basically hackers are creative programmers, just learn programming on projects that interest you f.a. Webdev and when you are good enough to understand basic concepts of how the internet, websites and computers work, and can work with them to a certain extent, you can look up stuff on "hacking" a popular example being SQL injections, and learn what they are and then you go from there, it's really not simple to just "hack" but learning these things is just helpful in general.