This was a few years ago (so I hope there have been patches since then) but I watched a video which was trying to make an entire game within a QR code: they don’t have to just be links, they can be binaries that some devices will immediately run without question!
Quite the opposite. That video by mattkc (iirc) repeatedly and unequivocally says that to make this work, he made his pc save the binary and explicitly run it using a python script, because doing it natively would be fucking insane
You’re right, I must have been thinking of something else. Happily I can’t find any chatter about actual malware in QR codes (it’s all redirecting to malicious websites), though obviously there’s always the possibility of a new exploit being discovered.
The 3DS used to be hacked using a QR code that was scanned using the game cubic ninja (it used QR codes as a medium for sharing levels). The interpreter had a basic memory safety bug, so you could trigger a ROP chain using a malformed QR code to get ACE. This was of course voluntary by the user (and cubic ninja was hard to get because it was not a commercial success) but that qualifies, I guess.
Then they found out the 3ds browser uses a WebKit version from 2003 and nowadays you just go to a website lol
ACE on a WiiU is just as easy, at least with the Wii you had to use a game!
