Suspicious 40gmail.com URL generated when I scan an Amazon 2-factor auth barcode with Zxing app.

[Darren Evans]

Just tried setting up 2-factor auth for my Amazon account and it presented me with a barcode to scan. I absent-mindedly fired up my ZXing Barcode Scanner app instead of using the scanner in my Google Authenticator and got the following URL generated:

otpauth://totp/Amazon%3Aseefer%40gmail.com?secret=<long_number_here>

The long_number_here was a large string of uppercase alphanumeric that I didn't want to paste in here.

Opening this URL in my browser sent me on a string of redirects to various dodgy survey sites. I typed 40gmail.com directly into Chrome and many of the redirects sent me to destinations that Chrome blocked as unsafe.

Why is the Zxing Barcode Scanner app generating this questionable URL from the Amazon 2-factor barcode?

I obviously should be scanning this app with my chosen auth app but I thought it worthwhile pointing out this behaviour when scanning using Zxing Barcode Scanner because it all looks mighty suspicious.

[Sean Owen]

Most importantly: the app is not generating the barcode at all. It's reading it. I can't say what or why is in this barcode as it's unrelated to anything here.

It's just showing you what's in the barcode, so I'm not sure why you suspect the app is somehow generating the URL or modifying it? if you care to, try an unrelated online decoder or another app. It doesn't do anything of the sort.

Now, I also think you're misreading the URL. %3A is an escape for ':' and %40 is an escape for '@'. So this is really just a path encoding something like otpauth://totp/Amazon:see...@gmail.com?secret=...   The escapes are needed because : and @ are reserved characters in a URL. I assume that could be your valid email address. So likely all as expected.