‘BEEP’ goes the check-out–â€oh shi…†goes the cashier
What is in this seemingly innocent barcode? Well, if you’re a fan of xkcd, you might be able to guess. For the barcode-inept, the code reads the following:
Robert'); DROP TABLE Students;--
This comes in light of a recent presentation taken place at the 24th Chaos Computer Congress (24C3) in Berlin, Germany. Phenoelit gave the presentation and I would have to say that it opened up my eyes to the common insecurity of barcodes.
When I was proposing an event ticket system, I was considering a system using the aforementioned in the articles and video, GNU Barcode. Never once did I give any thought to possible SQL injections, buffer overflows, or anything else of that ilk when I considered sending confirmation PDFs via e-mail containing a scannable document that could be used instead of providing proper identification. I can tell you that if I do end up working with such things in the future that I will be careful to harden anything including barcode reading.
In light of this, I immediately began to scour anything in my wallet containing some sort of barcode. For the longest time, I have been more or less interested in solely on what is on the magstripe on them, but now the barcodes are of curiosity to me. I did discover something with my Safeway card (and the pile that I took before I left the company), but I will be toying with them and will later report on what I find.
It will be interesting on where it goes from here.
Ed: It has been well over a year and a half since I wrote this. I probably should do something about what I said I would do.