That QR code in your photo is a leak
You've stripped the metadata, so the photo carries no GPS pin, no device serial, no capture time. Then you post it — and there, in frame, propped against your coffee cup, is a boarding pass. The barcode on it is a machine-readable record of who you are and where you're going, and it reads perfectly from a photo. The most dangerous data in an image isn't always hidden in the file. Sometimes it's printed on something in the picture.
The boarding-pass problem
Airline barcodes follow a standard format that packs in your full name, booking reference and frequent-flyer number. The booking reference is the key: combined with a surname, it's the login for most airlines' manage-booking pages — contact details, seat changes, sometimes cancellation, all one scan away. This isn't hypothetical. Celebrities and politicians post gate-side boarding-pass photos constantly, and in one widely reported case a security researcher recovered a former prime minister's passport number starting from nothing but a boarding pass posted to Instagram.
Wi-Fi cards and tickets leak the same way
The café's little Wi-Fi QR card encodes the network name and password in plain text — photograph the counter and you've published the credentials. An event ticket's QR code is the ticket: whoever scans your excited pre-show post first gets through the gate. Anything designed to be scanned in person is just as scannable from a photo of it.
Scrubbing doesn't touch it
Metadata cleaning removes the descriptive fields that ride alongside the image — it never alters the pixels. A QR code is pixels. Worse, these codes are engineered to survive abuse: error correction lets them scan through glare, odd angles, partial obstruction and the recompression every chat app applies. The same robustness that makes them convenient at a gate makes them nearly indestructible in a shared photo. The only fix is visual: the code has to be redacted out of the image itself.
Spotting codes before you share
The hard part is noticing. A barcode in the background of a desk photo doesn't register as sensitive the way a visible address does. So MetaMarshal's reveal now scans every photo for scannable codes, entirely on your device — using the browser's built-in BarcodeDetector where it's available, and a jsQR fallback where it isn't. When it finds one, it decodes the payload locally and classifies it: a URL, Wi-Fi credentials, boarding-pass data, or plain text. You see what the code says before anyone else can, and the photo never leaves your browser to be checked.
Closing the leak
From there it's one step: the finding hands off to the redaction tool, which blacks out the code by replacing the pixels — baked in, not layered on top — and re-encodes the file on export so the metadata leaves in the same pass. Then verify: point a scanner at your exported copy and confirm there's nothing left to read. Drop a photo into MetaMarshal's reveal and see what's scannable in yours — the check runs on-device, and it's the part of the leak you can't see by looking.