Security News QRLJacking Attack Can Bypass Any QR Login System

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Egyptian security researcher Mohamed Baset has published details about a new type of attack that successfully bypasses SQRLs (Secure QR Logins, aka Secure, Quick, Reliable Logins).

Dubbed QRLJacking, this is a social engineering attack that relies on phishing and other similar techniques to trick a victim into scanning the wrong QR code.

The attack works by requesting a QR code for the service the victim is trying to login into and modifying the QR code to send the confirmation message to the attacker's computer.

The crook can modify these login details, add the data belonging to his PC, relay the data from his phone to the default login server, and access the victim's account from his PC.

A QRLJacking attack is difficult to pull off
This attack needs both the attacker and the victim to be online at the same time, and a degree of technical skills are needed to modify QR codes shown by the Web services that employ them.

SQRLs have become very popular in recent years and are often used on sites like WhatsApp and other messaging apps.

In a Facebook post, Baset says he tested his attack on sites such as WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging, QQ Mail, Alibaba, and more.

Baset describes QRLJacking as a basic session hijacking attack that steals your session at the login step and sends the data to the crook.

SQRLs are not as secure as initially thought
The attack is difficult to pull off, and because it needs both parties online at the same time, it is likely to become a tool in the arsenal of APTs rather than regular cyber-criminals that will still favor the shotgun approach of random spam and phishing campaigns.

Baset's discovery casts a shadow of doubt over SQRL's invincibility as a login system, a system that's been hailed as the perfect login method, the only one that blended single-sign-on (SSO) and two-factor authentication (2FA) in a set of simple procedures.

Of course, if a user is being mindful of the URL of the page he's logging into an account, a basic anti-phishing technique, QRLJacking can be mitigated like any other social engineering attack.

More details about QRLJacking can be found on GitHub (proof of concept code) and OWASP (technical details). Demo videos are available below.
Click to expand...
 
  • Like
Reactions: Logethica, harlan4096, conceptualclarity and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Security News Microsoft Sway abused in massive QR code phishing campaign
Replies
0
Views
1,312
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Wow
Security News Casio confirms customer data stolen in a ransomware attack
Replies
0
Views
1,485
Security News
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • Like
    • +Reputation
Security News Watering Hole Attack on Kurdish Sites Distributing Malicious APKs and Spyware
Replies
0
Views
1,548
Security News
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top