QRLJacking [July 28, 2016]

QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System by Swati Khandelwal.

I put today’s date in the title so several years from now when a “security expert” breathlessly reports on “terrorists” using QRLJcking, you can easily find that it has been in use for years.

For some reason, “security experts” fail to mention that governments, banks, privacy advocates and numerous others in all walks of life and business use cybersecure services. Maybe that’s not a selling point for them. You think?

In any event, Swati gives a great introduction to QRLJacking, starting with:

Do you know that you can access your WeChat, Line and WhatsApp chats on your desktop as well using an entirely different, but fastest authentication system?

It’s SQRL, or Secure Quick Response Login, a QR-code-based authentication system that allows users to quickly sign into a website without having to memorize or type in any username or password.

QR codes are two-dimensional barcodes that contain a significant amount of information such as a shared key or session cookie.

A website that implements QR-code-based authentication system would display a QR code on a computer screen and anyone who wants to log-in would scan that code with a mobile phone app.

Once scanned, the site would log the user in without typing in any username or password.

Since passwords can be stolen using a keylogger, a man-in-the-middle (MitM) attack, or even brute force attack, QR codes have been considered secure as it randomly generates a secret code, which is never revealed to anybody else.

But, no technology is immune to being hacked when hackers are motivated.

Following this post and the resources therein, you will be well prepared for when your usual targets decide to “upgrade” to SQRL, or Secure Quick Response Login.


PS: There is a well-known pattern in this attack, one that is true for other online security systems. Do you see it?

Comments are closed.