Slashdot Mirror

← Back to Stories (view on slashdot.org)

QRLJacking Attack Can Bypass Any QR Login System (helpnetsecurity.com)

Posted by BeauHD on from the look-where-you're-going dept.

dinscott and an anonymous reader are reporting of a new type of attack that bypasses SQRLs or Secure, Quick, Reliable Logins: "[As detailed by Seekurity Labs researcher Mohamed A. Baset], QRLJacking (i.e. Quick Response Code Login Jacking) is a method for tricking users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code," reports Help Net Security. An anonymous Slashdot reader adds from a report via Softpedia: "In a Facebook post, Baset says he tested his attack on sites such as WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging, QQ Mail, Alibaba, and more," reports Softpedia. The QRLJacking attack is nothing more than a social engineering attack that works by requesting a QR code for the service the victim is trying to log in to and modifying the QR code to send the confirmation message to the attacker's computer. The crook can modify these login details, add the data belonging to his PC, relay the data from his phone to the default login server, and access the victim's account from his PC. This attack needs both the attacker and the victim to be online at the same time, and can be defeated by any user that pays attention to the URL [of the page they're logging into with an account]. Judging that it's 2016 and people are still falling victim to phishing attacks, there's a high chance the attack can work. Baset demonstrated the attack against a WhatsApp user in a video posted to YouTube.

3 of 31 comments (clear)

  1. Re:Social engineering by Entrope · · Score: 3, Insightful

    Misfeatures like that are (arguably) serious design flaws. Correct operation requires the user to pay attention to something that works properly almost all the time, but when it doesn't work, it drives the user underneath a truck at 80 miles per hour.

    Something like that, anyway.

  2. Re:From GRC who brought you ShieldsUp! and SpinRit by TuballoyThunder · · Score: 3, Insightful

    They may be crap, but it does not appear that this attack would work with SQRL. The SQRL client hashes the URL of the website, signs the result, and then sends the result to the URL encoded in the QR code. In this attack, the client would see that there is a mismatch between the phishing website and the URL encoded in the QR code. If the attacker modifies the QR code to fix that discrepancy, the SQRL blob would have the wrong URL hashed and the server would reject the login attempt.

    The researcher does not mention SQRL in his post or the github repo. That was added by the editor or the submitter.

  3. It's 2016 by Anonymous Coward · · Score: 3, Insightful

    It's 2016 and browsers are trying to get ride of the URL bar. Hovering over a link to see where it might go is meaningless (JavaScript URL rewriting and URL shorteners) and you can't even do that in some mobile browsers. Any attack that requires users to not look at a URL will succeed now and even more so in the future.