QR Code Scanner
Upload any image to instantly decode its QR code. All processing happens locally — nothing is sent to any server.
Advertisement · Anuncio
Drag and drop an image, or click to select
Supports PNG, JPG, GIF, WebP
Advertisement · Anuncio
A QR (Quick Response) code is a two-dimensional matrix barcode that stores information in a grid of black and white squares. Originally developed by Denso Wave in 1994, QR codes can encode URLs, plain text, contact information, Wi-Fi credentials, and payment details. They include Reed-Solomon error correction, allowing up to 30% of the code's data to be restored even if damaged — which is why QR codes remain scannable even with logos overlaid.
Decoding starts by locating the three finder patterns — the distinctive nested squares in the corners. These allow the software to calculate orientation even if the code is rotated or skewed. The format information strip encodes the error correction level and data mask. Data codewords are then read by traversing the grid in a two-column zigzag pattern, followed by Reed-Solomon error correction to reconstruct any damaged data.
Quishing embeds fraudulent URLs inside QR codes to trick victims into visiting phishing pages or downloading malware. Unlike traditional phishing links, QR codes are visually opaque — a human cannot read the embedded URL by looking at the code. The FBI's IC3 issued a warning in 2022 about tampered QR codes after attackers placed fake stickers over legitimate codes on parking meters, directing victims to spoofed payment portals.
Always preview the decoded URL before navigating to it. Be especially cautious of QR codes in public places — on posters, flyers, parking meters, or restaurant tables — where a sticker could have been placed over a legitimate code. If the QR code is on a sticker that appears added on top of an original surface, treat it with suspicion. Legitimate organizations rarely require you to scan a QR code for account verification.
After decoding, examine the URL closely. Check that the domain name is exactly what you expect — attackers use typosquatting (e.g., "paypa1.com") or subdomain tricks (e.g., "paypal.com.malicious-site.xyz"). The real domain is the part immediately before the first single slash. For suspicious links, paste the URL into VirusTotal or Google Safe Browsing before visiting. Short URLs (bit.ly, tinyurl.com) can hide the final destination — use a URL expander first.
Can QR codes contain malware?
Not directly. A QR code is a data container — it holds text or a URL, not executable code. However, it can encode a URL pointing to a page that hosts malware downloads or exploit kits. Always inspect the decoded URL before visiting.
Is this scanner safe to use?
Yes. This tool uses the open-source jsQR library, which runs entirely within your browser. Your image is never uploaded to any server. All decoding happens locally on your device — turn off your internet connection after the page loads and the scanner will still work.
What types of data can QR codes contain?
QR codes can encode: URLs, plain text, vCard contact information, Wi-Fi credentials (SSID, password, security type), email addresses, SMS messages, phone numbers, geographic coordinates, calendar events, and cryptocurrency payment addresses.
Why wasn't my QR code detected?
Detection can fail due to: low image resolution, poor lighting or heavy shadows, the code being only partially visible, significant damage covering more than 30% of the code (exceeding Reed-Solomon correction capacity), or extreme perspective distortion. Try a new photo with the code flat, well-lit, and fully visible.
What is quishing?
Quishing is QR code phishing — a social engineering attack using malicious QR codes to direct victims to fraudulent websites. It is particularly effective because QR codes are visually unreadable to humans, and many email security gateways do not inspect QR code images the way they inspect embedded links.