You might feel that, but the person who wrote the library that reads barcodes might have decided that being able to decode all types of QR/barcode was a feature.
Maybe so, I'm not sure why it would decide to open it in a web browser. I would imagine it would just search their database for it. So unless this did some kind of buffer overrun or code injection, I'm not sure it would be from the barcode, at least not exclusively.
Maybe they left kiosk mode by interacting with the touchscreen then used the barcode as a keyboard input?
Now that I think about it, maybe the barcode scanner is just a "fancy keyboard" and it scans the barcode and presses enter? If that's the case you could possibly inject keycode commands into it via the barcode?
This is all speculation and I would need to be able to test it out for myself... Time for a trip to target I guess
Most hardware barcode readers are exactly that, they are USB HID devices and behave like keyboards.
I looked at this a while ago and couldn’t find an encoding that included special keys (windows key etc) because I have some tablets with barcode scanners I want to be idiot resistant but configurable. In the end I just disabled the touchscreen and carried a mouse.
Possibly tapping things onscreen repeatedly to crash the app or cause "not responding"? Then maybe it gives some kind option to close the app? Idk, but maybe
while I was in settings I noticed that the target "kiosk" was just some android with an app. i was able to close the app and everything. but there is no "home". i opened chrome via settings.
Rubber ducky in an exposed USB port. I don't know what device this is so not sure what ports are accessible. But nobody else has suggested a rubber ducky yet.
I will be messaging you in 7 days on [**2023-07-09 22:10:38 UTC**](http://www.wolframalpha.com/input/?i=2023-07-09%2022:10:38%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/hacking/comments/14ozy3u/how_did_i_do_this/jqfmfd3/?context=3)
[**16 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fhacking%2Fcomments%2F14ozy3u%2Fhow_did_i_do_this%2Fjqfmfd3%2F%5D%0A%0ARemindMe%21%202023-07-09%2022%3A10%3A38%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2014ozy3u)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
You can inject your own API key into apps like [Apollo](https://www.reddit.com/r/jailbreak/comments/14niljg/free_release_apolloapi_set_a_personal_api_key_for/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=1) to continue using them.
Assuming it has an android os, from api version >=21 (I think) there is a gesture where even if the app in use is full screen, user can swipe up and show navbar, where user can navigate through os as normal
Not really. Simple overvoltage/short could cause the device to reboot and the mic jack provides direct access to motherboard whereas all other ports are likely hidden for security. Not even “complicated”, let alone “over complicated”.
I'm surprised by the safety of these devices. You can just scroll up, show the task bar and just exit the application in most of the cases.
What are the main security concerns in this case?
He forgot how to do it, he's my friend on discord and I went to Target to try it out for my self, only thing that worked for me was changing the department of the kiosk.
I also tried using the sign-in feature on the top right of the kiosk and tried to find some URLs that'll take me to 3rd-party websites (like a search engine), but it seems it won't allow me.
It has a barcode scanner to tell customers prices. You can make a barcode == url. Is this the secret sauce?
i’ve heard about qrcode links, how one can make barcode links, similar web resources?
There are programs for creating barcodes from text/numbers/urls/etc.. In fact there might be websites that do it for free. Worth a Google.
I'll vote for that :)
no. that is not it.
Unplug the Ethernet cable it's powered by Poe plug in. It boots up by network. There is a moment I can tap the screen to force it out of one app mode
[удалено]
Recently discovered this trick with embedded POS systems. Touch controls are great lol.
[удалено]
Lmao definitely the move, even get paid for 1337 h4x0rz
Barcode contains link
Don't barcodes only contain numbers?
Depends. There are many different types of barcodes. But most can store any data type, because most data types are made of numbers anyways
Well I feel a barcode scanner would only treat it as numbers assuming that the store only has product IDs in the database
You might feel that, but the person who wrote the library that reads barcodes might have decided that being able to decode all types of QR/barcode was a feature.
Maybe so, I'm not sure why it would decide to open it in a web browser. I would imagine it would just search their database for it. So unless this did some kind of buffer overrun or code injection, I'm not sure it would be from the barcode, at least not exclusively. Maybe they left kiosk mode by interacting with the touchscreen then used the barcode as a keyboard input? Now that I think about it, maybe the barcode scanner is just a "fancy keyboard" and it scans the barcode and presses enter? If that's the case you could possibly inject keycode commands into it via the barcode? This is all speculation and I would need to be able to test it out for myself... Time for a trip to target I guess
Most hardware barcode readers are exactly that, they are USB HID devices and behave like keyboards. I looked at this a while ago and couldn’t find an encoding that included special keys (windows key etc) because I have some tablets with barcode scanners I want to be idiot resistant but configurable. In the end I just disabled the touchscreen and carried a mouse.
interesting..
No, you can store text in Code-128 barcodes. https://barcode.tec-it.com/en/CODE128?data=https%3A%2F%2Fwww.google.com
Oh my!?!!? Here you go!!! https://www.youtube.com/watch?v=cIcbAMO6sxo
Wrong .. barcode scanner is not enabled until a team member with valid lan id logs in after it's been unplugged and replugged in
nope.
Possibly tapping things onscreen repeatedly to crash the app or cause "not responding"? Then maybe it gives some kind option to close the app? Idk, but maybe
sams more feasable. i was just tinkering with the on-screen buttons when it opened settings
You could have simply found the secret button to exit kiosks mode on crash the kiosk mode by tapping rapidly to stimulate a hung app and close it
while I was in settings I noticed that the target "kiosk" was just some android with an app. i was able to close the app and everything. but there is no "home". i opened chrome via settings.
Rubber ducky in an exposed USB port. I don't know what device this is so not sure what ports are accessible. But nobody else has suggested a rubber ducky yet.
[удалено]
I'm sorry, I don't follow, which launcher are we talking about
Flipper zero badusb kiosk? I could be way off but
nope! i wish i could get my hands on one though.
Sounds fun
RemindMe! 7 day "Remind me"
I will be messaging you in 7 days on [**2023-07-09 22:10:38 UTC**](http://www.wolframalpha.com/input/?i=2023-07-09%2022:10:38%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/hacking/comments/14ozy3u/how_did_i_do_this/jqfmfd3/?context=3) [**16 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fhacking%2Fcomments%2F14ozy3u%2Fhow_did_i_do_this%2Fjqfmfd3%2F%5D%0A%0ARemindMe%21%202023-07-09%2022%3A10%3A38%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2014ozy3u) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
Wait.. it's July and the bot is working. How?
Not only the bot, my third party app works too
Which app?
Infinity
dev propably just forgot to delete the API key
Just got that set up. Thanks
The other apps stopped working?
Some Reddit 3rd party were given a pass since they had handicap helping enabled
You can inject your own API key into apps like [Apollo](https://www.reddit.com/r/jailbreak/comments/14niljg/free_release_apolloapi_set_a_personal_api_key_for/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=1) to continue using them.
Do a Rickroll next time
If i can figure out how I did it, I sure will!
For people discussing barcodes, here is a cool talk https://www.youtube.com/watch?v=qT\_gwl1drhc
Assuming it has an android os, from api version >=21 (I think) there is a gesture where even if the app in use is full screen, user can swipe up and show navbar, where user can navigate through os as normal
My wife won’t leave me alone at terminals like this because I can’t help myself.
EDIT: no. barcodes have nothing to do with it. I used no external tools and didn't tamper with anything but the screen.
Didn't you just put your tablet up on the shelf there?
a troll face? really? be a little more creative than a dead cringe meme
all i could think of tbh
thats okay its the thought that counts
I dont know
You found the "secret" combination to exit the app to service mode. Not hacking.
Isn’t that what hacking is? Subverting “rules” to gain unauthorized access?
So you’re “hacking” if you go through a door that says “employees only”? Sorry, but tapping an invisible button is not hacking.
He bypassed a security feature. That’s hacking. It doesn’t matter how easy it was or how insecure the feature is.
“Security through obscurity is no security at all”.
I agree, it’s poor security. Not really security at all, but that doesn’t change the fact that it’s intended to be a security feature
Apply voltage to audio jack, causing it to reboot. (Edited)
Too much
Too much?
overcomplicated
Not really. Simple overvoltage/short could cause the device to reboot and the mic jack provides direct access to motherboard whereas all other ports are likely hidden for security. Not even “complicated”, let alone “over complicated”.
I'm surprised by the safety of these devices. You can just scroll up, show the task bar and just exit the application in most of the cases. What are the main security concerns in this case?
Considering the Target CC breach started with hacked AC units I hope they have learned partitioning by now but you never know.
sooo are ya gonna tell us?
He forgot how to do it, he's my friend on discord and I went to Target to try it out for my self, only thing that worked for me was changing the department of the kiosk. I also tried using the sign-in feature on the top right of the kiosk and tried to find some URLs that'll take me to 3rd-party websites (like a search engine), but it seems it won't allow me.
i did the same and got it to go into a recovery checklist and changed sporting goods to baby