What's Inside a QR Code? How They Encode Data (and the Risks)
· by Andergrove Software
A QR code looks like random noise, but it is really a 2D barcode: a grid of black and white squares that encodes a short piece of text — most often a URL. Understanding what the squares mean explains a lot, including why a code still works when it is partly torn or has a logo stamped in the middle, and where the one real security risk lies.
You can make your own — with the data fully under your control — in the QR code generator. This post is how they actually work.
Modules, finder patterns, and the quiet zone
Each small square in a QR code is called a module, and it is one bit: dark or light. The three big square "eyes" in the corners are finder patterns — they let a camera locate the code and work out its orientation and size no matter which way up it is held. Smaller alignment patterns help the scanner correct for angle and curvature, and thin timing lines running between the finders give it a ruler to count modules. The blank margin around the whole thing, the quiet zone, is not decoration: scanners need it to tell where the code ends, which is why a QR code crammed against other content sometimes fails to read.
Everything else — the seemingly random field in the middle — is the encoded data plus its error-correction bits.
What a QR code can hold
The data is just bytes, so a QR code can carry several kinds of content, and the scanning app decides what to do based on a short prefix:
- A URL (
https://…) — by far the most common; the phone offers to open it. - Plain text.
- Wi-Fi credentials (
WIFI:S:network;T:WPA;P:password;;) — join a network by scanning. - A contact card (vCard), an email, a phone number, a calendar event, or geographic coordinates.
Capacity depends on the version (size) and the error-correction level, but a typical code comfortably holds a long URL. The more data, the more modules, so a code encoding a whole vCard looks denser than one holding a short link. In practice you want codes to stay short — a compact URL scans faster and more reliably from a distance than a dense one.
Error correction: why a damaged code still scans
QR codes use Reed–Solomon error correction, the same family of maths that protects CDs and DVDs from scratches. Redundant information is woven throughout the code so the original data can be reconstructed even when part of it is unreadable. There are four levels — L, M, Q and H — recovering roughly 7%, 15%, 25% and 30% of the code respectively.
This is the secret behind two everyday sights. A code printed on a crumpled receipt or a rain-spotted poster still scans because the missing modules fall within what error correction can rebuild. And a code with a company logo in the middle works because it was generated at a high correction level (H), so the logo simply occupies modules the code can afford to lose. The trade-off is size: higher correction means more redundant modules, so a denser code for the same data.
The real risk: you cannot see the URL
Here is the security problem, and it is inherent to the format: a QR code is not human-readable. You cannot look at the squares and know where they point. When the payload is a link, you are trusting it sight-unseen — and attackers have noticed. "Quishing" (QR phishing) swaps a legitimate code for one that leads to a credential-harvesting page or a malware download: a sticker over the code on a parking meter, a doctored code in an email, a poster in a public place.
A few habits defuse most of it:
- Preview the URL before opening. Most phone cameras show the destination as a banner first — read it, do not tap reflexively.
- Be suspicious of physical codes in public, especially stickers that look applied over something else.
- Never scan a code to "log in" or "pay" from an unsolicited message.
- Check the domain, not just that it looks plausible —
paypa1.comis notpaypal.com.
The technology is sound; the risk is entirely that you are asked to trust a link you cannot read. Treat a scanned URL exactly as you would treat a link in an email from a stranger.
Generating your own safely
When you create a code, you control the payload, so there is no mystery — you know exactly what it encodes. Keep the destination short and legible (a clean URL, not a redirector that hides the real target), pick an error-correction level that matches where it will live (higher for print that might get damaged or carry a logo), and test it with a couple of real phones before you print a thousand copies.
The Andergrove QR code generator builds codes entirely in your browser — the data you encode is never uploaded — and exports PNG or SVG with a selectable error-correction level. For the wider theme of trusting what you cannot see, the security cluster is worth a read: how JSON Web Tokens work and how long it takes to crack a password.