Authentication is one of the crucial parameter in Information security. It is achieved by passwords, biometrics and 2FA and many other means. One of the feature considered to be much secure is QR code. Recently a security researcher hijacked the QR Code.
QR code is the two dimensional data that has secret information including secret keys and session details. QR codes has been used by many sites including WhatsApp for authentication WhatsApp Web in browser or in desktop client.
The security researcher produced a fake login page which resembles the one as WhatsApp web and then he made a script to change the QR code which will change every 20 seconds in Original site. So whenever the QR code changes it will reflect in the fake page. The technique is dubbed as #QRLJacking.
If the user scans the QR code using his/her mobile then the account will be hijacked and the session will be opened in the Attacker machine with full authentication.
This can be done if the page has been faked and then the QR code which changes in the period of time should also be updated in the fake page.
The security researcher has also created a PoC and it can be viewed public here.
P.S: The post is to create awareness and not to be misused.
This comment has been removed by a blog administrator.
ReplyDelete