In this post, i would like to share one attack method that will take advantage on QR Code which called Quick Response Code Login Jacking (QRLJacking).
QRLJacking is a new method that most people might not even heard before. QRLJacking is a direct and easy social engineering method which expose via session hijacking with all the application that rely highly on the “Login with QR Code” feature.
Source : WhatsApp Accounts QRLJacking and ARP poisoning Injection by Seekurity.com
Exploitation Framework Used for the QRLJacking
All attack vector has its own Exploitation Framework and QRLJacking is one of them too.
Exploitation Framework that can be used for QRLJacking is called QRLJacker where it was customizable exploitation framework in order to presented on how it is not that hard to hijack service within an application especially Mobile Application that mostly depending on the QR Code for authentication login method.
Source: Github QRLJacker
There is a Youtube video that shows how to Installing QRLJacker Framework and how to use the tools to exploit the QR Code.
Source: Installing QRLJacker framework version 2 and hacking Whatsapp
Recommendation
Even though, its best practice to stop using Login with QR Code but there is a workaround that can be implemented to ensure the mitigation of any issues
Those Workaround can be listed as follows:
- The developer and system administrator to configure the application to use notification and message of confirmation where it can show all the information of the client and server. This workaround can be used to record the process on the user and system.
- The user will need to ensure the link to the QR Code is a legit link where it can prevent the user login to a malicious QR Code.
Credit to:
- Mohamed Abdel Aty (@M_Aty)
- Mostafa Kassem (@Zanzofily)
- Karim Shoair (@D4Vinci)
- Abdelrahman Shawky (@ShawkyZ)
- Ahmed Elsobky (@0xSobky)
- Ahmed Abbas (@Fiberghost)
- Hiram Camarillo (@Hiramcoop)
- Juan Carlos Mejia (@Th3kr45h)
- Mohamed Abdelbasset Elnouby (@SymbianSyMoh)
- Mohamed.Baset@OWASP.org
Source: GitHub QRLJacking, Github QRLJacker
No responses yet