Attack works on WhatsApp, WeChat, Line, and more

Jul 31, 2016 22:20 GMT  ·  By

Egyptian security researcher Mohamed Baset has published details about a new type of attack that successfully bypasses SQRLs (Secure QR Logins, aka Secure, Quick, Reliable Logins).

Dubbed QRLJacking, this is a social engineering attack that relies on phishing and other similar techniques to trick a victim into scanning the wrong QR code.

The attack works by requesting a QR code for the service the victim is trying to log into and modifying the QR code to send the confirmation message to the attacker's computer.

The crook can modify these login details, add the data belonging to their PC, relay the data from their phone to the default login server, and access the victim's account from their PC.

A QRLJacking attack is difficult to pull off

This attack needs both the attacker and the victim to be online at the same time, and a degree of technical skills is necessary to modify QR codes shown by the Web services that employ them.

SQRLs have become very popular in recent years and are often used on sites like WhatsApp and other messaging apps.

In a Facebook post, Baset says he tested his attack on sites such as WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging, QQ Mail, Alibaba, and more.

Baset describes QRLJacking as a basic session hijacking attack that steals your session at the login step and sends the data to the crook.

SQRLs are not as secure as initially thought

The attack is difficult to pull off, and because it needs both parties online at the same time, it is likely to become a tool in the arsenal of APTs rather than regular cyber-criminals who will still favor the shotgun approach of random spam and phishing campaigns.

Baset's discovery casts a shadow of doubt over SQRL's invincibility as a login system, a system that's been hailed as the perfect login method, the only one that blended single-sign-on (SSO) and two-factor authentication (2FA) in a set of simple procedures.

Of course, if a user is mindful of the URL of the page they're logging into with an account, a basic anti-phishing technique, QRLJacking can be mitigated like any other social engineering attack.

More details about QRLJacking can be found on GitHub (proof-of-concept code) and OWASP (technical details). Demo videos are available below.

QRLJacking (4 Images)

Researcher finds new method of bypassing QR login systems
QRLJacking attackNormal SQRL login procedure
+1more