Have you heard of the new cyber-attack term, QRLJacking? It is a new social engineering method of attacking QR Login Process. QR Login is considered not only a simple method of login but also a secure remote authentication method. But is it secure? According to a computer analyst, the QR login process is susceptible to attacks.
A QR login requires a remotes site’s web address QR code to be scanned by a device. There are QR code scanners for smartphones, while some apps have an inbuilt QR code scanner. After the local device scans the QR code, unique authentication credentials are transferred from the device to the website, which now automatically logs in the user. The QR code method of authentication, therefore, requires no password.
Now, an Egyptian researcher, Mohamed Baset begs to disagree with the security of this mode of authentication. He published a post detailing the new social engineering attack that can successfully compromise a QR login attempt. The attack requires no special hacking tools and knowledge. A beginner hacker can pull off the attack. The attack can compromise any website that uses QR logins.
First, the attacker gets the login QR code from the website and then places the QR code on a phishing site. The attacker’s next task is to engineer a user socially to visit the phishing webpage, where the user is to use the QR login method. The problem here is that instead of the QR login method sending the login details to the official website, the attacker gets the details. The skill required to pull off this attack is the knowledge in code refreshing script, which updates the false QR Code with the latest code on the official website. Also, the attacker needs to create a perfect phishing page so that the user won’t get suspicious.
This sort of attack is not the kind of attacks used for mass data compromise. Such an attack is effective when targeted to a particular individual. The flaw, found in the SQRL could allow an attacker to intercept the WhatsApp we session which requires a QR login. Again, the necessary skill to pull off this attack is low (script-kiddie low).
If such an attack targeted a particular individual, the results could be fatal. The attacker has the potential to acquire very sensitive data from the victim’s device, such as the device type, GPS location, and IMEI and SIM card information.
At the moment there are no solutions to the problem. Luis Corrons, of Pandlabs, warns people against sending very sensitive information via WhatsApp. But a simpler solution is to turn off the QR code login feature and use a password instead to prevent compromises in your WhatsApp, Line and WeChat sessions.