QR Codes and Trust Chains

Trust is an interesting thing. Who do you trust when you scan a QR code on the side of a McDonald’s Happy Meal? McDonald’s of course, but the list is a lot longer and stranger than that…

Let’s look at the URL encoded here. It’s a short link service operated by short.io but off of their short.gy domain…

The GY country code TLD is for the nation of Guyana, and whose principal university is the administrator of the domain.

Professor Greene is the Chancellor of the university and in theory could demand the DNS record be pointed elsewhere. Or the government of Guyana could.

Anyone with a *.gy domain places trust in a number of entities in Guyana. What percentage of folks asked to scan this code could identify Guyana on a map, let alone assess how much they trust a Guyanan entity?

But it gets better…!

Short.gy is operated by a company called short.io based out of Bulgaria, with a CEO “Andrey” (on the website) or Andrii (on LinkedIn) who dropped out of university and worked on (presumably questionably legitimate) viagra websites.

You trust this guy to redirect you?

Why would McDonald’s expose their users to this kind of threat profile? Probably not intentionally or explicitly. But the internet is a wooly and interconnected place.

And if you put your trust in too many actors, one will eventually abuse that trust.