Bad QR is the description for bug report #126784 under hackerone for Coinbase.
It encompases drawing money from Coinbase wallet users under iOS and Android bypassing the confirmation screens.
Coinbase mobile wallet users should be warned not to scan foreign QR payment codes until the apps are updated.
Any payment code read on the Coinbase wallets below 0.1 BTC is automatically sent with no confirmation.
The loss of money in this scenario is per user.
As of right now, this feature is being patched and updates will be provided to both App Stores
This test bed can generate QR codes that will cause the issue to occur.
They can also be given a "Social Engineering" spin in order to convince a user to scan it.
You can try this, but for the love of god, don't scan QR codes outside this page unless it's a trusted QR code.
A bad actor can use this to draw unsuspecting users into making transactions out of Coinbase.
For the amount of money that it will cost a single user to read a QR code, you could blanket thousands in social media through Facebook, Twitter and Reddit.
By definition, bitcoin transactions are non-refundable and this feature can cost you a bit.