QR Code Steganography Hider

Hide secret messages inside fully scannable QR codes. Uses LSB pixel encoding, module color steganography, and PNG metadata embedding. The QR still scans normally while carrying a hidden payload.

New

Read our guides & tutorials

Upload

Payload

Configure Encoding

Encode

Primary QR Content

A new QR code will be generated that scans to this

URL or text the QR code scans to

Your secret message is embedded invisibly — invisible to standard QR readers.

Dual-Payload QR Code

A new QR code is generated that scans normally to your URL. The secret message is embedded invisibly — extractable only with the QR Extractor. 100% client-side.

How to Hide a Message in a QR Code (5 steps)

Enter the URL or text the QR code should scan to (primary content)
Type your secret hidden message or upload a file to hide
Choose a steganography method (PNG Metadata recommended for simplicity; Module Color for visual stealth)
Optionally add a password for AES-256-GCM encryption
Click Generate — download a QR code that scans normally and contains your hidden message

QR Steganography Methods — Algorithm Comparison

Method	Capacity	Detection Risk	Best For
PNG Metadata	Up to 4 KB	Easy to inspect	Quick embeds, simple watermarking
LSB Pixel Encoding	High (image-size dependent)	Image analysis tools	Large payloads, PNG output
Module Color Stego	Medium (module count)	Color histogram tools	Visual stealth, CTF challenges
Error Correction (Phase 2)	EC codewords only	QR structure inspector	Hardest to detect (planned)

Frequently Asked Questions

Will my QR code still scan after encoding?

Yes. A real-time scan test confirms your QR code is still scannable after encoding. The hidden payload is invisible to standard QR readers.

How much data can I hide?

It depends on the method. PNG Metadata supports up to 4 KB. LSB encoding can hide several KB depending on the QR image size. Module Color can encode hundreds of bytes per method.

Which method is hardest to detect?

Module Color Steganography is the hardest to detect visually — the near-black/near-white color shifts (R±1–2) are imperceptible to the human eye. PNG Metadata is the easiest to detect if someone inspects the file.

Is my QR code uploaded to a server?

Never. QR generation, encoding, and scanning all happen entirely in your browser using the Canvas API and Web Crypto API. Your data never leaves your device.

What does AES-256-GCM encryption do?

It encrypts the hidden payload before embedding. Even if someone extracts the hidden bytes, they need your password to read it. Uses PBKDF2 key derivation with 100,000 iterations.

What is Error Correction Exploitation?

QR codes include redundant error correction modules (7–30% of modules depending on EC level). Phase 2 will exploit this capacity to embed hidden data. Currently in development.