Tuesday, April 19, 2011

QR Code check-ins and how they're already broken

GetGlue has made a lot of hoopla recently over their "new" idea of using a QR code to check-in to a web-based service. You'll pardon me if I'm somewhat less than impressed by this advancement in their service after examining it in depth. Use of QR codes to direct people to a given URL isn't anything new and has been happening overseas since the mid- to late-90's. It appears that all the QR code provided by GetGlue does is direct the user's mobile device to GetGlue's standard mobile web page with a specific check-in argument. The user still has to confirm the check-in, just like they normally would on any mobile check-in. I'm getting a bit ahead of myself here, so let's have a look at how their QR-based check-ins work:

The first item up for analysis is the following image:

This image came from an official GetGlue giveaway at a Game of Thrones event and was provided by one of the forum members. Decoding the QR image provides the following link:


If you look at the structure of the link it makes sense. It sends you over to GetGlue's Mobile site to check-in to the item, tacking on a source argument. Click on the image above to get a larger view and you can try it out for yourself with your smartphone or a QR-reader program.

Now on its own the above discovery may not look like much, but this led us to the confirmation of the following link:


Yes, this is the QR code link from the official Ricky Martin concert poster. This was found in Alex Iskold's slides from his presentation to the AdTech conference that were posted online and it was summarily decrypted. See the image below:

In theory all one should have to do with either of these is zap the QR Code with their device that has a QR reader and they'll be taken to GetGlue's mobile page to sign in. Once they've signed in they should be able to check-in and earn the accompanying sticker, right?

Well... that's how it works in theory, anyway.

We'd had prior reports from more than one concert-goer that the QR code from the poster did nothing special at that time. It took you to a mobile check-in page, let you check-in, and that was it. No triggering of anything unique, no concert-only sticker, only a standard check-in (although in the case of Ricky Martin it would net you the single-check sticker if you hadn't already earned it, ditto for the Mobiler sticker). The M.A.S. sticker finally went live this morning at some point, leading one to ask what GetGlue is going to do for the users that went to any of the earlier concerts and were not awarded the sticker, but that's another topic entirely. As far as the QR Codes go, in theory, one could take either of these links and plug them into a standard web browser to check-in, much the way one could in order to earn the "Mobiler" sticker without having to check-in from a mobile device. We've already proved this morning that it works without a hitch when everyone and their dog was suddenly able to earn the M.A.S. sticker.

So what does this tell us?

1. GetGlue is using a fairly simplistic check-in system with their QR codes.

They pretty much have to, otherwise they'd have to lock it to a specific device and that would not endear them to a fairly large segment of their user base. They've already ticked off a good chunk of people that don't have a smartphone that is capable of reading QR codes. That's not to mention that they'd have to write back-end code to handle more complex check-ins in addition to talking their partners into using multiple versions of a QR code on different posters or some such if they wanted to get more complicated with it

2. The QR code check-ins don't seem to do anything special other than check you in with a specific argument - the sticker availability is still controlled by the Powers That Be at GetGlue

There's apparently no specific lock on earning the M.A.S. sticker other than it being a mobile check-in with the "?source=qrcode" at the end. This is fine and dandy, but it still relies on GetGlue to make sure the sticker is set to be available. Ricky Martin already had seven previous tour dates at the time of this writing, all of which supposedly had the QR code available. While we have no exact data on how many people checked-in via the code from those shows, if I were one of those users I would be more than a little bit ticked.

3. There's no way of telling that a sticker is going to be locked behind a QR code until someone finds the code and uses it to check-in and earn the sticker.

No one has earned the Peter Bjorn and John tour sticker, nor has anyone earned the Steve Aoki tour sticker, despite both of them being currently on tour. The theory right now is that these stickers are behind QR codes as well, but unless we hear something from someone that's been to one of their shows we'll never know. It may not necessarily be a problem, though, because...

4. Faking a QR code check-in is currently dead simple.

Want proof of number 4? Take a closer look at the URL structure.


At first we've got the standard director to the GetGlue Mobile page, that's set up so that everyone who has a phone with a web browser can use it. Next we have the /checkin/ directory, which sets it up for a check-in to whatever comes next. Following that you have the overall category (/tv_shows/) and the specific topic (/game_of_thrones), followed by the source argument that indicates the check-in came from a QR code. A generic QR check-in URL would look something like this:


Using this, you can extrapolate for pretty much topic out there in GetGlue-land, including what are likely other candidates for QR-related check-ins. For example, we'll pick on Steve Aoki. He has an "on tour" sticker but no one can seem to get it to trigger. No one has said anything about it being a QR check-in, but it wouldn't shock me if it was. Using what we know from above, we can guess what his QR check-in might be. For example, his page on GetGlue:


would become:


Pretty simple, eh? Using this logic one can effectively spoof any QR code check-in GetGlue throws at us until they change the URL structure. Whether that check-in actually works or not is totally at the mercy of GetGlue, so your mileage may vary when it comes to the actual functionality of this method.

Big thanks to both Lindsay for her hard work on this and dab for providing the GoT image!


  1. I love a good challenge! I just wish GG had activated the sticker so it worked the first time I tried it. That would have be so much more satisfying:)

    Thanks to GG CEO Alex for putting the code in his presentation. Bet he didn't think we could get the link out of it.

  2. Nice find. I hope they don't plug the hole before Tribeca.

  3. The thing is if they are going to use a URL for these Q-Codes checkins there won't ever be a permanent way to plug it. The worst they can do is that instead of having a single parameter for all QR checkins they have a random sting code for each sticker. You'll still always be able to scan a QR code and get the URL though.

  4. If GG integrates a QR reader in their mobile apps they could possibly plug the hole. It would require making their API a little more robust but it could be done.

  5. Two words: Location Spoofer

    or if you're on an iDevice, three words, the first of which is "jailbreak"