Professional uses of QR in advertisements would use URL shortening on their own domain, eg https://o2.com/trainpromo2 as that way they can demonstrate authenticity as well as owning the telemetry themselves.
Table service in restaurants don’t need to worry about data density because they have their customers literally sat at the table with the QR code in hand (it doesn’t get any easier to scan a code than like that).
If you’re dealing with a restaurant small enough not to have anyone manage the design then you can also bet that restaurant isn’t worth the effort targeting for this kind of attack. Think about what it would entail:
1. Having someone physically visit the restaurant
2. Measure that QR code so that you know the dimensions of the sticky label you want to print
3. Now visit that restaurant dozens more times to replace the existing QR codes. Each time hoping you get a different menu and/or table
4. Pull of this replacement in a short enough time so that people don’t report that their QR code does something different before you’ve captured enough devices (whatever your attack might be).
5. Hope that the owners don’t notice that the QR codes are now stickers (eg they don’t sit flush on the menu)
6. And hope that they don’t refresh their menus regularly. Which might even just happen because someone spilt the QR code / kids have drawn on it accidentally/ etc
7. And all the while, hope that you don’t get caught. Because restaurants will usually have cameras up. You better also not pay for your meal on card too.
It’s such an inefficient yet also high risk and short lived attack that it’s just not all that likely anyone would bother.
I do get the concern about opening up random websites, but rather than singling out QR codes specifically and letting everything else rot, I suggest we look at the root cause of the issues here. And that root cause isn’t QR codes.
