For those who don’t know, it’s where someone takes a QR code like on a poster for a concert and puts a sticker with a different QR code on top to a fake website that looks like the concert website (or a Rick Roll).
The obvious answer is to scratch off the QR code if you notice it’s a sticker, but It’s not always acceptable -or legal- to start damaging stuff to check if it’s real or not. Also what if it’s out of reach on a sign or something?
You can’t put a little text under saying what the website is as a sort of checksum because the vandal can just write their own website under their sticker.
They’re not a url, they’re just a string that’s often a url. There’s no (technical) reason why it couldn’t be a signed public key, or a signed url that the camera app could validate
Yes, they are just data, but commonly that data encodes a url.
I agree, it could be made more secure, but getting rid of url shorteners and trackers that obfuscate real urls would be a step in the right direction with no new software needed.