QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.
If the attacker successful, QRLJacking attack gives an ability to apply a full account hijacking scenario on the vulnerable QR-Code-based Login service resulting in account hijacking and other information like victim’s accurate current GPS location, device IMEI number, SIM card data and other sensitive data that the client app presents at the login process.
QRLJacking Attack Flow
Here’s how the QRLJacking attack works behind the scenes:
1. The attacker initial a client side QR session and clone the Login QR Code into a phishing website. “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim.”
2. The Attacker Sends the phishing page to the victim. (refer to QRLJacking real life attack vectors)
3. The Victim Scans the QR Code with a Specific Targeted Mobile App.
4. The Attacker gains controls over the victim’s Account.
5. The service is exchanging all the victim’s data with the attacker’s session.
1. Accounts Hijacking
QRLJacking attack gives attackers the ability to apply a full account hijacking scenario on the vulnerable Login with QR Code feature resulting in accounts stealing and reputation affection.
2. Information Disclosure
When the victim scans the QR code he is giving the attacker much more information like for example (his accurate current GPS location, Device type, IMEI, SIM Card Information and any other sensitive information that the client application presents at the login process)
3. Callback Data Manipulation
When the attacker receives the data which we clarified in the “Information Disclosure” point, Some of this data is used to communicate with the service servers to clarify some information about the user which can be used later in the user’s application. Unfortunately sometimes this data is exchanged over insecure network connection which makes it easy for this data to be controlled by the attacker giving him the ability to alter or even remove it.
QRLJacking and Advanced Real Life Attack Vectors
As we all know, If we combined more than one attack vector together we can have a great result. QRLJacking attack can be combined with a powerful attack vectors and techniques to make it more reliable and trustworthy. Here are some examples:
1. Social Engineering techniques (Targeted Attacks)
A skilled social engineer attacker will find this mission easy to convince the victim to scan the QR Code by cloning the whole web application login page with an exact one but with his own attacker side QR Code.
2. Hacked highly-trusted websites and services
Hacked websites are prone to be injected with a script that displays an Ad or a newly added section displays a cool offer if the user scanned this QR Code with a specific targeted mobile application his account will be hijacked.
3. SSL Stripping
SSL Stripping is an attack which is all about strip the ssl website and force it to work on a non secured version. Web sites without “HSTS Policy” enabled are prone to be stripped which gives the attacker multiple choices to manipulate the content of the website pages by for example, “altering the QR Code login sections”.
4. Content Delivery Networks (CDNs Downgrading)
A well implemented Login by QR Code feature uses a base64 QR code image generated and well placed in a secured page which will make it very difficult to be manipulated if this website is working over HTTPS and forcing HSTS, but unfortunately a lot of web applications and services uses a CDN based QR image generation process. These CDNs itself are sometimes stored on a servers vulnerable to HTTPS Downgrading attacks.
Attackers will find a way to downgrade these secure connections, redirect the CDN URLs to his own QR Code, and since the QR Code is an image this will result in a “passive mixed content” hence the browser will not find any problems by viewing it on the web application login page instead of the original one.
5. Non-secure Traffic over LAN
This is the most suitable attack vector for attacking users over Local Area Networks by exploiting the non secured websites and manipulate traffic, The attacker here is performing MITM (Man in the Middle Attack) against his local area network, poisoning the traffic on the fly by injecting a JS file on every non secured web page.
6. Bad Implementation / Logic
Bad implementation logic of the QR code logins may result into a more easy accounts takeover scenarios. During our research we found a specific example: A chat app asks you to scan other people’s QR code to add them as friends, until here it’s normal and there are no problems, but when it comes to the login process it’s a big problem.
Unfortunately, the application implemented the “login by QR code” feature on the same screen that you’re using to add a friend, so imagine that someone cloned his login qr code and told you “Hey, This is my QR Code, scan it to be my friend, you scanned it, Boom” you lost your account.
Defending against QRLJacking (Recommendations and Mitigations)
Our top recommendation is to just stop using Login with QR code except when it is necessary also there is a lot of ways to mitigate such issue and here is some ways to be used together or standalone:
1. Session Confirmation, We recommend implementing a confirmation message/notification displaying characteristic information about the session made by the client/server.
2. IP Restrictions, Restricting any authentication process on different networks (WANs) will minimize the attack window.
3. Location-based Restrictions, Restricting any authentication process based on different locations will minimize the attack window.
4. Sound-based Authentication, One of the techniques to mitigate this kind of attack [And maintain the same usability level as to not require any additional interaction from the user other than scanning the QR ] is to add sound-based authentication step to the process , we have seen this kind of technology where it is possible to generate unique data and convert it to audio that can be recognized back into its original form [SlickLogin and Sound-Proof] so it is possible to include this technology in the process .
The purposes of this added step is to make sure that scanned QR code is generated in the same physical location as the mobile device that is doing the scan and therefore eliminating the possibility of a remote attacker deceiving the user into scanning his qr code.
Vulnerable Web Applications and Services
There are a lot of well-known web applications and services which were vulnerable to this attack until the date we wrote this paper. Here are some examples (that we have reported) including, but not limited to:
WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging
QQ Mail (Personal and Business Corporate), Yandex Mail
Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips
AliPay, Yandex Money, TenPay
Passport Services “Critical”:
Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc…)
Mobile Management Software:
MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos
Source: Owasp, Download here