What could go wrong scanning QR codes

[cocadalcan]

Scanning QR code using a crypto wallet, are they completely safe? Or there are ways that people can still do something wrong while scanning the QR code?

There have been cases of phone hacking through QR code scanning in the past. I came to know about it through the news and since then I have refrained from scanning QR codes through the phone where I have important data stored and wallet installed. If you need QR code for any emergency, it is better not to use the phone where wallet is installed.

[Karl_3000]

Well I'll tell you for free, using copy paste of addresses is actually way better and safer than scanning QR codes. One of the major reasons is because you have the liberty of cross checking the address after you've pasted unlike a QR code you can't read with just your Human eye.

This is not true. There is clipboard malware that does not make the copy and paste to be safe if someone's device has the malware, hackers can be used to steal the person's bitcoin.

Anyone that is using QR code or copy and paste of bitcoin address, the person should go through the address up to two times and make sure the address is correct.

Another thing is that QR code for bitcoin address is safer than copy and paste of the address. I am not talking about all QR codes but the one for crypto addresses.

[noorman0]

The error method is almost non-existent, it's like trying to scan a QR code for a URL unless you don't know how QR codes work. Or, if there's a mismatch with the presented address, it can be assumed there's something wrong with the QR code or the app, not the way you're scanning.

When someone scan a QR code with a crypto wallet isn't the address in the QR code going to be visible?

It depends on how the app is built; after scanning (in most apps), you'll simply be redirected to the default payment wizard, as if you were entering the address manually. You can see the scanned address there.

[masulum]

When someone scan a QR code with a crypto wallet isn't the address in the QR code going to be visible? I think this is how it works but you are right, copy pasting makes you check the address out, but I believe it's the same with scanning QR code, the address is supposed to display before you making transaction.

Tell me if I am wrong.

yep, the address will visible before you are making a transaction, but same as you are using a copy and paste, after you are scanning the QR and the address being added to address recipients, you need to double check the address. This action prevents you from falling victim to address poisoning or QR replacement attacks (Quishing). Whether you are transacting offline or online, you must always stay aware and verify the full address before sending the money/crypto.

[Cricktor]

I have nothing against QR codes when it comes to transfer details over an air-gap. This is when you follow basic opsec.

Commonly you see some details in a (software or hardware) wallet in plain text. If it's a public address that I need to transfer via an air-gab, I see it first in plain text, open the QR code and scan it with an air-gapped device. Once it's scanned and decoded I should see it in plain text on the air-gapped device. Now I would compare source text and destination text representation. I would never skip this check, nor should you.

If they don't match, something is fishy and very wrong. I would never proceed blindly.

If an environment doesn't allow me to perform this basic verification, the environment is useless and shouldn't be used.

The same applies for transaction details or PSBT data or whatnot you transfer else via QR code(s).

[Porfirii]

Scanning QR code using a crypto wallet, are they completely safe? Or there are ways that people can still do something wrong while scanning the QR code?

There have been cases of phone hacking through QR code scanning in the past. I came to know about it through the news and since then I have refrained from scanning QR codes through the phone where I have important data stored and wallet installed. If you need QR code for any emergency, it is better not to use the phone where wallet is installed.

Me too, and not only when it comes to scanning QR codes for crypto transactions, but in general.

For example, yesterday I went to a bar and I saw a sticker in one of the tables in the street, with a QR code and the text "Menu", but the rest of the tables didn't have any. I thought how easy it could be to print stickers with a code that lead to a malicious website and stick them in random places like these.

That's why I never scan QRs if I can avoid it, and especially in the case of transactions, when I prefer to write letter-by-letter the entire address, even if I have to check it out several times before sending.

[Cricktor]

... and I saw a sticker in one of the tables in the street, with a QR code and the text "Menu", but the rest of the tables didn't have any. I thought how easy it could be to print stickers with a code that lead to a malicious website and stick them in random places like these.

Such a malicious QR code sticker attack placed by others is known as Quishing and OcTradism has already mentioned it in this topic.

See

...

Always verify what you scan in the public and don't allow automatic actions like opening an embedded web link or whatever else is encoded in any public QR code. My privacy focused QR code scanner app is setup to first show me the decoded content and I have to check a box to confirm any proposed further actions with the content.

[Mr_Brilliant$]

To safe you all the stress, just copy and paste the address yourself..  it could be safe though, because ive barely heard any bad news about scanning QR codes.. 
But for me I just prefer copy and pasting the address myself..  That is the only way I will be sure and confident of not making any mistake..

[CryptoVoyager24]

This whole qr vs paste debate is a joke. Assume your everyday pc and phone are already backdoored. Zero trust.
Clippers hijack paste. Fake stickers hijack qr. The entry method means literally nothing because the software is untrusted.
The only truth is the hardware wallet display. U can scan whatever garbage u want. Just read the damn address on the physical device screen before u press confirm. Verify the first and last chars manually. Trusting a hot screen is asking to get drained.

[Patikno]

Scanning QR code using a crypto wallet, are they completely safe? Or there are ways that people can still do something wrong while scanning the QR code?

There are still loopholes in scanning QR codes (but indirectly), meaning QR codes can't be hacked or made to look similar, because each QR code is unique, Cmiiw.

I often hear news, about fraudsters swapping QR codes (from genuine to fake), then they can receive transfers from the sender. Well, if this happens with e-money, it might still be easy to track the fraudster, but if it happens with crypto, it becomes more complicated. Therefore, I advise everyone (including me) to be careful with every transaction we intend to make. QR codes make it easy to make fast transactions (which directly direct to the recipient), but we still need to verify before making a transaction. Furthermore, I also recommend that QR code providers display the address, so the sender can verify it easily.

By the way, I once encountered a problem with scanning QR codes. I wanted to buy clothes at a store in my city, and during the payment process, I directly sent the QR code they provided, but then they held me up because their receiving account was problematic. In my opinion, this case is actually the store fault, as they should have ensured their receiving account was active when their store opened, thus avoiding such issues. Well, my case wasn't crypto-related, but I think similar issues could occur with crypto transactions that use QR codes. So, I think receiving wallets should also be checked regularly to ensure there are no issues. In essence, I have provided advices, which I believe is good for both senders and recipients using the QR code method.