Scanning random QR codes is a risky proposition nowadays, but a newly detailed social engineering attack vector named QRLJacking, is another risky layer to their use. Many web services provide an option of using QR codes to log into the accounts such as chat apps like WhatsApp and Weibo, email service QQ Mail, e-commerce services like Alibaba and Aliexpress and many more.

What is QRLJacking?

Quick Response Code Login Jacking (QRLJacking) is a method to trick users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code. It is a simple social engineering attack vector which has enough potential of session hijacking. It affects all applications that require the “Login with QR code” feature as a secure way to log into accounts.

In short, the victim scans the wrong QR of the attacker which results in session hijacking, where all the requirements of WhatsApp Web Application are stolen by the attacker.

How is QRLJacking used?

Initially the attacker begins with a client-side QR session and clones the Login QR Code into a phishing website “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a victim.’

The attacker then sends the phishing page to the victim. The victim scans the QR Code with a Specific Targeted Mobile App, thus allowing the attacker to gain control over the victim’s account. This way all the data of the victim is exchanged with the attacker’s session.

Implications of QRLJacking

• Information Disclosure- When the victim scans the QR code, he unknowingly provides his sensitive information such as his accurate GPS location, Device type, IMEI, SIM Card Information and much more information required for login process, to the attacker. 
• Accounts Hijacking- QRLJacking attacks allows the attackers to apply a full account hijacking scenario on the vulnerable login with QR Code feature, which results in accounts stealing and reputation affection.
• Callback Data Manipulation- When the attacker receives the stolen data of the victim, the data is used to communicate with the service servers to clarify some information about the user. This data is also exchanged over insecure network connections which make it easy to be controlled by the attacker, allowing him to make changes or even remove it.

QRLJacking and Advanced Real Life Attack Vectors

If we combine more than one vector together, we can get a better result than if we used a single. QRLJacking attack can be combined with powerful attack vectors and methods to make it more reliable and trustworthy. Below we have discussed some combined attack vectors:

• Social Engineering Techniques- An expert social engineer attacker can easily convince the victim to scan the QR  Code by cloning the whole web application login page with an exact one but with his own attacker side QR Code.
• Hacked highly-trusted websites and services- Hacked websites are more vulnerable to be injected with a script that shows an Ad or newly added section displaying an exciting offer. Thus, the user scans this QR code with a specific targeted mobile application and his account will be hijacked.
• SSL Stripping- This is a type of attack which is all about stripping the SSL website and forcing it to work on a non-secured version. Those websites without “HSTS Policy” enabled, are more prone to be stripped, giving the attacker multiple choices to manipulate the content of the website pages by altering the QR Code login sections.
• Content Delivery Networks (CDNs Downgrading)- A successfully implemented QR code feature uses a base64 QR code image produced and well placed in a secured page which makes it difficult to be altered if this website is working over HTTPS and forcing HSTS. Many web applications and services use a CDN based QR image generation process. These CDNs are sometimes stored on servers that are vulnerable to HTTPS Downgrading attacks. Meanwhile, the attackers find a way to downgrade these secure connections, and redirect the CDN URLs to his own QR code. As the QR code is an image, this will result in a “passive mixed content” , so that the browser will not find any problems by viewing it on the web application login page instead of the original one.
• Non-secure Traffic over LAN- This is one of the most suitable attack vectors for attacking users among the Local Area Network by exploiting the non secured websites and manipulating traffic. The attackers perform MITM (Man in the Middle Attack) against his local area network, polluting the traffic on the fly by employing a JS file on every non secured web page.
• Bad Implementation/ Logic- Bad implementation logic of the QR code logins may lead to amore easy accounts takeover scenarios. Here, a chat app asks you to scan other people’s QR codes to add them as friends, but when it comes to the login process, this can be a serious issue. Someone can clone his login QR code and trick you to add him as your friend.

How can you defend against QRLJacking? 

It would be the best way to defend QRLJacking, if you stop using Login with QR code except where it becomes a necessary one. Besides, there are many ways to mitigate this issue and they can used together or standalone:

• Restricting any authentication process on different networks (WANs) can help you reduce the attack window.
• It is advised to implement a confirmation message/ notification showing characteristic information about the session made by the client/ server.
• Restricting any authentication process based on different locations can minimize the attack window.
• Add sound-based authentication steps to the process, which is one of the best ways to mitigate this kind of attack. 

Want to start your learning journey on Cyber Security and Ethical Hacking field?