mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

366K
active users

Adam Wilbert

This is a wild QR code proof of concept that resolves to two different URLs depending on the angle and distance your camera happens to be at.

By @isziaui via hackaday.com/2025/01/23/this-q

@awilbert It works (scanning the code from my computer screen on a mobile phone) I either get the profile for @isziaui or a Github repo - I suppose it is like those things you got as a kid where you moved the item around and got different images or a "moving" image? (I forget what those are actually called or if there is a proper name for them)

@awilbert @isziaui Whoa! Creepy. Like the hairs on the back of my neck stood up when I tested it.

@awilbert@mastodon.social @isziaui@mstdn.social It's because it's embedded one QR code into another and there's enough error correction being used in the larger QR code that it ignores the smaller one embedded in it.

@mike30030 Nope. There’s no larger or smaller, they are both the same size.

@awilbert @isziaui That's interesting!

I wonder about possible uses 🤔

@awilbert @isziaui This is perverse and awesome and I hate it. Top marks.

@awilbert haha, yes, abusing computer vision for fun and internet points! love to see novel edge cases :neofox_glasses:

@awilbert @isziaui a missed opportunity to have one URL link an image of a blue and black dress, and the other to an image of a white and gold dress. Brilliant nonetheless!

@awilbert how does this work? (Not QR code itself🤣), to me it seems to be the same one. Or did you encode different adresses on the different places, both with the sane checksum?

Edit: typos

@theVedek
If I had to do it, I would use some kind of convolution to find one low-pass image of qr code 1 (i.e. smoothed) and some high-pass image of qr code 2 (only the fine details part). I'd then merge those two and apply some binarizer with dithering to it. Should work.
@awilbert

@datenhalde @theVedek the article explains how its done, and its much simpler than the high-pass /low-pass illusions. For every square thats different between the two QR codes, make it into a 2x2 grid like a small checkerboard. If the square is black in QR A, fill in the 2x2 checkerboard diagonally like / . Otherwise fill it in the other way \ .

@awilbert @datenhalde @theVedek The QR code specification suggest this as a decoding algorithm: Locate the finder patterns and their coordinates, then use that to calculate the center points of all cells and sample the *single pixel* at that point.
This is how some of the "art" QR codes work: you can have an arbitrary background, as long as a sufficiently large "pixel" in the center has the right color.

Now, if you have a checkerboard right in the center, that will lead to ambiguous results.

@awilbert @datenhalde @theVedek An alternative implementation would be to calculate the boundaries of the areas that each cell covers and then average the image over that area. That will still work with an art QR code if the center pixel sufficiently skews the average, and will still generate "random" results if the area is made up of a 50% black and 50% white checkerboard.

Bonus impls use the additional hints and timing pattern to locate cells in non-even surfaces, but the principles remain.

@theVedek

It's explained in the "but how" link...

@ePD5qRxX oops. Thank you! (I thought the link was the same as the video, and thus didn‘t look.)

@awilbert @isziaui Cool! It didn't work on my Samsung Galaxy, but that one has difficulties scanning QR codes under an angle anyway.

@awilbert @isziaui might that be cause by the moiré effect between the QR code element and the camera's pixels?

@59b I doubt that has any influence, the QR code pixels are typically much larger than the camera pixels so there is no moiré.

@awilbert @isziaui I'm not familiar with QR's internals, but could this be a security risk? Say one of these is distributed somewhere. 9/10 people who try to load it get the safe link, giving the code a safe reputation. But 1/10 people are given a spoofed link (they happen to load it from some special angle or something), trust it because the code worked for other people, and have all sorts of mischief inflicted upon them.

Is this realistic and something the public should be concerned about?

@awilbert@mastodon.social @isziaui@mstdn.social holy crap, this is incredible!

now that you mention it, I could totally understand how the QR standard can be abused for this, but I never even considered attacks on the code reconstruction algorithm before!!

@awilbert @lzg @isziaui What an incredible piece of engineering. I hate it. This deserves an award. It's perverse. Nice.

@awilbert @isziaui Oh, clever! Breaking up the pixels into subpixels so that the system has to guess the value of the noise'd up pixels and guesses differently based on details of position.

That's a hell of a hack. 😄