Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

New “QRLJacking” Attack Targets QR Code Logins

QRLJacking is the term given to a new social engineering method of compromising the QR Login process. QR Login had previously been considered both a secure and simple method of remote authentication. A new proof of concept now shows that the process is susceptible to relatively simple hijacking.

QRLJacking is the term given to a new social engineering method of compromising the QR Login process. QR Login had previously been considered both a secure and simple method of remote authentication. A new proof of concept now shows that the process is susceptible to relatively simple hijacking.

QR Login requires that a remote site’s QR code be scanned by a local device. This triggers unique authentication details from that device are then sent back to the website which then logs in the device concerned. No passwords are required.

Egyptian researcher Mohamed Baset has published details of a new social engineering attack vector capable of successful session hijacking. It requires little or no traditional hacking skills since it is based on manipulation of the process rather than exploiting any software. It can be made to work against any website that uses QR logins.

The attack requires the attacker to obtain the login QR code from the target website and place it into a phishing page. He then socially engineers the user to visit that phishing page and to log into the QR login process. If the user does this, his secret login token is sent to the attacker rather than the authentic website — and the attacker can hijack the session. The only real skills required are a code refreshing script to update the ‘false’ QR code with the latest code displayed by the website, and a well-designed and crafted phishing page to persuade the victim to log in.

This is unlikely to become a broad mass attack strategy — but it could be an effective method of specific targeted attacks against individuals. “The researcher’s proof-of-concept illustrates a flaw in ‘SQRL’ that allows an attacker to target an individual and hijack his or her WhatsApp session,” F-Secure security advisor told SecurityWeek. “The attacker has to be ‘present’ at the time of login for this to work. The level of proficiency to pull this attack off is very low (script-kiddie level).”

This type of attack, he added, “could theoretically be used in a targeted fashion, against an individual of interest. As a bonus, the attacker will obtain some sensitive information from the victim, such as GPS location, Device type, IMEI, and SIM Card Information.”

Luis Corrons, technical director at PandaLabs, agrees with this diagnosis, but adds, “Kudos to the researcher. This type of ‘out-of-the-box’ thinking is what finds new attack vectors and helps to improve security.” He agrees that it will largely be used in targeted attacks, but warns “people do tend to send really sensitive information through apps like WhatsApp.”

Solutions to the problem are not immediately apparent. Corrons suggests, “If an activation link could be sent to the device at the time the code is generated, this could make things harder for the attackers.”

Advertisement. Scroll to continue reading.

Patel has a simpler solution. “If you’re worried about being targeted by someone who would want to hijack your WeChat, Line, or WhatsApp session, you can always opt to turn that feature off and use a regular password.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.