Now, a days there is an ongoing trend, which resides in each and every website and that is Secure Quick Response Login(SQRL). SQRL means, logging into a system which is QR-code based, which also allows quick login for the admins, without remembering any password or username.
Generally, QR codes are 2-d barcodes, that contains significant amount of information into it, which may be shared key or session cookie. A website which implements this technique, follows a QR code scanning from the computer into the mobile phone app and once it is scanned, then site will log the user into the site without username and password. It is also safe from MITM attacks, brute force attacks, since there is no chance of password robbery here. But, today in this attack prone world nothing is beyond the hacker’s hands, just all they need is to be fuelled up or motivated. Hence, this technology is also attack immune.
Information security researcher Mohamed Abdelbasset has made a new concept of QRLJacking, which is used to hack accounts from services based on QR code login. This technique is a simple one, but nasty vector attack, which means it will affect all the applications that rely on it. Just one thing that attacker need to do is, convince the victim into scanning the attacker’s QR code.
Steps to follow for doing QRLJacking Technique:-
- Firstly attacker must initialise a client side QR code session and then clone QR code into a phishing page.
- Then attacker must send that phishing page to the victim.
- If, user sees the QR code and he/she is convinced by it, then they may scan that code with their particular mobile app.
- Then, mobile app which we had used for the QR scanning, may send a token to the targeted victim, so that they may complete their Login.
- Now, this would give the remote access to the hackers to control victim’s account.
- Then, just after it, service automatically starts exchanging the data between the attacker and the victim.
So, to carry out a QRLJacking attack, the things which attacker needs are:-
- A refreshing script containing QR code
- And a well crafted(without any dissimilarity) Phishing Web page.
Through this technique hacker gains the full access of the website, which also discloses the vulnerabilities of Vulnerable QR code based login service. This may also provide the exact location of victim through current GPS location, device IMEI number, SIM card data and other confidential data that the client app presents at the login process.
Hence, through these techniques we could come to a result that nothing is 100% safe in this techno magical world. And if you aren’t updated then you may also be in the list of victims.