Just tried setting up 2-factor auth for my Amazon account and it presented me with a barcode to scan. I absent-mindedly fired up my ZXing Barcode Scanner app instead of using the scanner in my Google Authenticator and got the following URL generated:
otpauth://totp/Amazon%3Aseefer%
40gmail.com?secret=<long_number_here>
The long_number_here was a large string of uppercase alphanumeric that I didn't want to paste in here.
Opening this URL in my browser sent me on a string of redirects to various dodgy survey sites. I typed
40gmail.com directly into Chrome and many of the redirects sent me to destinations that Chrome blocked as unsafe.
Why is the Zxing Barcode Scanner app generating this questionable URL from the Amazon 2-factor barcode?
I obviously should be scanning this app with my chosen auth app but I thought it worthwhile pointing out this behaviour when scanning using Zxing Barcode Scanner because it all looks mighty suspicious.