Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Internet Communications Facebook Network Networking Privacy Social Networks News Technology

QRLJacking Attack Can Bypass Any QR Login System (helpnetsecurity.com) 31

dinscott and an anonymous reader are reporting of a new type of attack that bypasses SQRLs or Secure, Quick, Reliable Logins: "[As detailed by Seekurity Labs researcher Mohamed A. Baset], QRLJacking (i.e. Quick Response Code Login Jacking) is a method for tricking users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code," reports Help Net Security. An anonymous Slashdot reader adds from a report via Softpedia: "In a Facebook post, Baset says he tested his attack on sites such as WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging, QQ Mail, Alibaba, and more," reports Softpedia. The QRLJacking attack is nothing more than a social engineering attack that works by requesting a QR code for the service the victim is trying to log in to and modifying the QR code to send the confirmation message to the attacker's computer. The crook can modify these login details, add the data belonging to his PC, relay the data from his phone to the default login server, and access the victim's account from his PC. This attack needs both the attacker and the victim to be online at the same time, and can be defeated by any user that pays attention to the URL [of the page they're logging into with an account]. Judging that it's 2016 and people are still falling victim to phishing attacks, there's a high chance the attack can work. Baset demonstrated the attack against a WhatsApp user in a video posted to YouTube.
This discussion has been archived. No new comments can be posted.

QRLJacking Attack Can Bypass Any QR Login System

Comments Filter:
  • by Anonymous Coward

    His squirrel has lost all of his nuts! Or I guess in this case, has had his nuts switched out behind the scenes!

  • by Sebby ( 238625 ) on Monday August 01, 2016 @10:22PM (#52625941)

    The QRLJacking attack is nothing more than a social engineering attack

    So it's really not a flaw or bug of the system; just a lack of user education.

    • by Entrope ( 68843 ) on Monday August 01, 2016 @10:26PM (#52625953) Homepage

      Misfeatures like that are (arguably) serious design flaws. Correct operation requires the user to pay attention to something that works properly almost all the time, but when it doesn't work, it drives the user underneath a truck at 80 miles per hour.

      Something like that, anyway.

      • by Anonymous Coward

        I don't see how this is different from clicking on a (possibly malicious) link. Do you think hyperlinks are a serious design flaw?

        • The app performs a security function, and there are lots of good technical ways to defeat such primitive MITM attacks. Making the user pay attention to hyperlink text from a source that is almost always good is a recipe for failure. A security app is not inherently suspect like emails from Prince Iwanna Scamya or dodgy websites are inherently suspect.

  • It's 2016 (Score:3, Insightful)

    by Anonymous Coward on Tuesday August 02, 2016 @12:13AM (#52626251)

    It's 2016 and browsers are trying to get ride of the URL bar. Hovering over a link to see where it might go is meaningless (JavaScript URL rewriting and URL shorteners) and you can't even do that in some mobile browsers. Any attack that requires users to not look at a URL will succeed now and even more so in the future.

  • To be perfectly clear, this attack IS just an update on normal authentication session phishing, where the attacker gets the target to authenticate a copy of the login form while the attacker is the custodian of the associated session cookie. If the user is inattentive it will work with all normal authentication methods and sadly also SQRL et-al when used in remote authentication (QR-Code) mode**. Thus most of these authentication methods exclude it from their designs as being out of scope.

    That said, SQRL wa

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...