Comment by chtitux
3 months ago
It could be interesting to understand the actual content of the qrcode. part1 is a static id, so likely linked to the membership.
part2 seems to be a timestamp. Maybe we can try to forge the value to "now - 10 seconds".
And if the implementation has been done right, the "part3" should be a signature of part1 and part2, not a "salt" (so forging part2 should be detected and code rejected).
Judging by the size of the qr code, part 3 is too short to be a signature. Probably the token is just registered in a centralized system that the qr code scanner checks with to see if the code is valid.