QR Code Redirect Hijacking: The Invisible Middleman

Every dynamic QR code you've ever scanned involved a third party you never chose. Between the phone camera and the destination website, a redirect server owned by the QR provider silently forwarded the request. Most users never notice. That's the point.

This article explains what redirect hijacking looks like in practice, what the middleman actually does, and what's at stake.

The redirect sequence

When you scan a static QR for https://shop.example.com:

1. Camera reads the QR code
2. OS recognizes it as a URL
3. Browser opens https://shop.example.com

Three steps. No third parties.

When you scan a dynamic QR for the same destination:

1. Camera reads the QR code, which encodes something like https://qr-provider.com/r/x7n2
2. OS opens that URL
3. qr-provider.com receives a request, logs it, looks up x7n2 in its database
4. qr-provider.com issues a 301 or 302 redirect to https://shop.example.com
5. Browser follows the redirect and arrives at the real destination

Five steps. An extra party at step 3 — one you never agreed to, never paid, and cannot see.

What the middleman gets

Every single scan produces a server log entry containing:

• Timestamp of the scan
• IP address of the scanner
• User-agent string (device, OS, browser)
• Referrer header (where the scanner came from, if applicable)
• Accept-Language header (language preference)

From these, the provider can infer: approximate geographic location, device type, operating system version, and in aggregate, scan patterns over time. This is marketed to customers as "analytics." It is also, equally, surveillance of the people scanning your codes — who never consented.

What the middleman can do

Change the destination

The redirect destination lives in the provider's database. The QR owner can typically edit it via a dashboard. This is sold as a feature, and for some use cases it genuinely is. But it means the QR code is no longer what it appears to be. The physical artifact says "scan to visit our site." The actual behavior is whatever the provider's database says today.

Disable the redirect

If the owner's subscription lapses, or the account is closed, or the provider's ToS is violated, the redirect can be removed. Every printed copy of the QR code immediately stops working. Users scan and see a generic error page or a 404.

Inject an intermediate page

Some providers route dynamic QR scans through a branded intermediate page before the final redirect — showing ads, asking for consent, collecting email addresses. The QR owner usually didn't sign up for this. It's added later, as the provider monetizes more aggressively.

Sell or lose the scan data

Scan logs are valuable. They've been sold to analytics brokers, used to train ad-targeting models, and — in at least a few documented breaches — leaked when providers were compromised. Your customers scanned a menu; now their device fingerprint lives in a breach dataset.

Why users never notice

Modern browsers follow redirects automatically. Unless you have developer tools open, you don't see the intermediate hop. The scan feels instant because a redirect is fast (when it works). From the user's perspective, a dynamic QR behaves identically to a static one.

Until the redirect server fails. Then the experience diverges sharply — but by that point, the QR code is already printed on a thousand surfaces.

Security implications

A redirect server is a single point of failure for every QR code that depends on it. Three attack surfaces worth considering:

• Account takeover. If an attacker gains access to the QR owner's provider account, they can redirect every QR to a phishing page. Customers scan the physical code expecting the restaurant menu; they land on a credential-harvesting clone of the restaurant's login page.
• Provider compromise. If the QR provider itself is breached, every dynamic QR in circulation is potentially repointed at attacker-controlled content. This is not theoretical — breach disclosures exist for multiple QR-as-a-service providers.
• DNS or TLS failure at the provider. If the redirect domain stops resolving or the TLS cert expires, every QR depending on it fails. Not a malicious actor — just ordinary operational risk that the QR owner doesn't control.

Static QR codes have none of these failure modes, because there is no third-party server between the scan and the destination.

How to check if you're scanning a redirect

Use a QR scanner that shows the decoded content before following it — our web scanner does this. Scan the QR code and inspect the decoded URL. If it's your actual destination, the QR is static. If it's something like qrco.de/xyz or a short domain you don't recognize, it's a redirect — and a third party is sitting in the middle.

The alternative

Generate QR codes that encode your destination directly. No third-party servers, no redirect logs, no subscription. See static vs dynamic QR codes for the full comparison, and the truth about QR code scams for why the middleman model dominates the industry.

Or just generate a static QR code and stop worrying.