QRLJacking is the term given to a new social engineering method of compromising the QR Login process. QR Login had previously been considered both a secure and simple method of remote authentication. A new proof of concept now shows that the process is susceptible to relatively simple hijacking.
QR Login requires that a remote site’s QR code be scanned by a local device. This triggers unique authentication details from that device are then sent back to the website which then logs in the device concerned. No passwords are required.
Egyptian researcher Mohamed Baset has published details of a new social engineering attack vector capable of successful session hijacking. It requires little or no traditional hacking skills since it is based on manipulation of the process rather than exploiting any software. It can be made to work against any website that uses QR logins.
The attack requires the attacker to obtain the login QR code from the target website and place it into a phishing page. He then socially engineers the user to visit that phishing page and to log into the QR login process. If the user does this, his secret login token is sent to the attacker rather than the authentic website — and the attacker can hijack the session. The only real skills required are a code refreshing script to update the ‘false’ QR code with the latest code displayed by the website, and a well-designed and crafted phishing page to persuade the victim to log in.
This is unlikely to become a broad mass attack strategy — but it could be an effective method of specific targeted attacks against individuals. “The researcher’s proof-of-concept illustrates a flaw in ‘SQRL’ that allows an attacker to target an individual and hijack his or her WhatsApp session,” F-Secure security advisor told SecurityWeek. “The attacker has to be ‘present’ at the time of login for this to work. The level of proficiency to pull this attack off is very low (script-kiddie level).”
This type of attack, he added, “could theoretically be used in a targeted fashion, against an individual of interest. As a bonus, the attacker will obtain some sensitive information from the victim, such as GPS location, Device type, IMEI, and SIM Card Information.”
Luis Corrons, technical director at PandaLabs, agrees with this diagnosis, but adds, “Kudos to the researcher. This type of ‘out-of-the-box’ thinking is what finds new attack vectors and helps to improve security.” He agrees that it will largely be used in targeted attacks, but warns “people do tend to send really sensitive information through apps like WhatsApp.”
Solutions to the problem are not immediately apparent. Corrons suggests, “If an activation link could be sent to the device at the time the code is generated, this could make things harder for the attackers.”
Patel has a simpler solution. “If you’re worried about being targeted by someone who would want to hijack your WeChat, Line, or WhatsApp session, you can always opt to turn that feature off and use a regular password.”