QRLJACKING and QRLJACKER

In this post, i would like to share one attack method that will take advantage on QR Code which called Quick Response Code Login Jacking (QRLJacking).

QRLJacking is a new method that most people might not even heard before. QRLJacking is a direct and easy social engineering method which expose via session hijacking with all the application that rely highly on the “Login with QR Code” feature.

Source : WhatsApp Accounts QRLJacking and ARP poisoning Injection by Seekurity.com

Exploitation Framework Used for the QRLJacking

All attack vector has its own Exploitation Framework and QRLJacking is one of them too.

Exploitation Framework that can be used for QRLJacking is called QRLJacker where it was customizable exploitation framework in order to presented on how it is not that hard to hijack service within an application especially Mobile Application that mostly depending on the QR Code for authentication login method.

alt img

Source: Github QRLJacker

There is a Youtube video that shows how to Installing QRLJacker Framework and how to use the tools to exploit the QR Code.

Source: Installing QRLJacker framework version 2 and hacking Whatsapp

Recommendation

Even though, its best practice to stop using Login with QR Code but there is a workaround that can be implemented to ensure the mitigation of any issues

Those Workaround can be listed as follows:

  • The developer and system administrator to configure the application to use notification and message of confirmation where it can show all the information of the client and server. This workaround can be used to record the process on the user and system.
  • The user will need to ensure the link to the QR Code is a legit link where it can prevent the user login to a malicious QR Code.

Credit to:

Source: GitHub QRLJacking, Github QRLJacker

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *