Nowadays, applications are using many authentication mechanisms; Two factor authentication, Network access authentication, IPSec authentication … One of these mechanisms is QR Code Authentication, which is used by many Web apps, in this article, I will introduce the concept and the QRLJacking, the attack against the QR-logging-in method.
What is QR Code ?
I will just quote from Wikipedia : “… A QR code consists of black squares arranged in a square grid on a white background, which can be read by an imaging device such as a camera, and processed using Reed–Solomon error correction until the image can be appropriately interpreted. The required data are then extracted from patterns that are present in both horizontal and vertical components of the image.”
… So basically QR codes are nothing but a new way to store data on some black squares … take it this way.
How QR-logging-in idea works ?
the concept is quite simple, the web app is displaying QR code on the login screen, right next to regular username/password login form. You’re taking out your phone, snapping a photo with any QR reader app for your iPhone/Android device and in less than 5 seconds you’re logged into the web app on the computer. No passwords, no hassle. And you didn’t even have to touch the keyboard! After that you can log into another app. And another one. And another…If you ever used Whatsapp on your web browser, then you should be familiar with this method…Sounds good right ?
Recently, an Egyptian hacker has discovered a vulnerability that can bypass this authentication mechanism, and yes, your favorite messaging app was infected too. The attack called QRLJacking.
What is QRLJacking?
QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.
How it works ?
Here’s how the QRLJacking attack works behind the scenes:
- The attacker initialize a client side QR session and clone the Login QR Code into a phishing website “Now a well crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim.”
- The Attacker Sends the phishing page to the victim. (a lot of efficient attack vectors are going to be clarified later in the paper)
- The Victim Scans the QR Code with a Specific Targeted Mobile App.
- The Attacker gains control over the victim’s Account.
- The service is exchanging all the victim’s data with the attacker’s session.
Recommendations and mitigations :
The top recommendation is to just stop using Login with QR code except when it is necessary also there is a lot of ways to mitigate such issue and here is some ways to be used together or standalone:
- Session Confirmation, the security researchers recommend implementing a confirmation message/notification displaying characteristic information about the session made by the client/server.
- IP Restrictions, Restricting any authentication process on different networks (WANs) will minimize the attack window.
- Location-based Restrictions, Restricting any authentication process based on different locations will minimize the attack window.
Latest posts by AYOUB BAHAR (see all)
- Facebook has yet proven than user privacy isn’t a priority! - April 21, 2020
- ISIM REST API Samples - July 10, 2019
- IBM DB2 HADR: Dummy guide - April 13, 2019