Recently, QR codes have firmly entered our daily lives, whether we like it or not. But they can also pose a security risk, as the user may not always know in advance which website they are being directed to. While dedicated scanner apps usually show you which URL is hidden inside a QR code, Google Camera seems to try to automatically correct addresses it thinks are wrong, which is more trouble than it’s worth.
According to the German edition of Heise, after an investigation, the Google Camera app on Android 12 regularly issues at least three types of erroneous addresses.
The first type of misspelled addresses is most common when an address is hidden behind a QR code using country code top-level domains (ccTLDs). Google Camera inserts an extra dot in such cases. For example, https://fooco.at becomes https://foo.co.at. As Heise discovered, the problem affects not only the Austrian .at domain, but also the .au, .br, .hu, .il, .kr, .nz, .ru, .tr, .uk and .za domains.
The second issue concerns addresses with top-level domains that are longer than two letters (such as the Catalan .cat). In such a case, Google Camera can “swallow” the remainder, turning the Catalan independence referendum address https://referendum.cat into a non-existent Canadian address https://referendum.ca. The same problem exists for .int, .pro, .travel, .apple, .bet, .beer, and .amex, with almost all of them abbreviated to the first two letters, with the exception of .apple, which becomes .app. The issue also affects new top-level domains such as .army, .art, .arte, .arab, .audio, .auto, and .autos.
Another problem concerns addresses with numbers in the subdomain (usually in the www part). Here Google Camera randomly adds a period again, turning working addresses like the Royal Bank of Canada https://www6.rbc.com into non-working addresses like https://www.6.rbc.com. Moreover, errors can be combined. As a result, https://www2co.at will become https://www.2.co.at.
The problems appear not only in Chrome, but also in other browsers, even if they are set as the default application on an Android 12 device. For example, when using Firefox, users will still be redirected to the wrong link when scanning a QR code using Google Camera.
Google Camera only reads QR codes when the user activates Google Lens suggestions in their settings. At the same time, according to Heise, the standalone Google Lens app itself works fine with all types of QR codes and does not cause any errors.
Heise was able to confirm their findings with Pixel 3 XL, 3a, 4, 4a, 5, and 6 Pro running Android 12. Pixel 3a running Android 11 did not experience the issue, but after updating to the latest OS, it did.