ECE 9069 Hacking Companion Notes on QRLJacker
image by OWASP
Overview
QR Code
QR code (Quick Response barcode that consists of black squares and dots. As it can be readily scanned by an imaging device, such as camera of smartphones, it is now being widely used in many aspects of our daily life. Its core function is to offer a convenient way to direct smartphone users to a variety of other media, for instance, website addresses. It also enables electronic payments, contacts sharing on social media, etc. Since the way that QR code stores information, we can only know its content after scanning, therefore QR code is susceptible to many potential vulnerabilities.
How does QR code work?
- Four encoding modes
- numeric, alphanumeric, binary, and kanji
- Decoded by using Reed-Solomon error correction
QRLJacking
QRLJacking is a simple social engineering attack vector capable of session hijacking by exploiting some QR code vulnerabilities. It was published as an open source software by OWASP in 2016code is widely . Potentially all applications that support “Login with QR code” function can be affected.
Vulnerable Applications
- Line
- Discord
- …
Attack Flow
- The attacker initiates a client side QR session and clone the login QR code into a phishing website
- The attacker sends the phishing page to the victim and convince the victim to scan it
- The victim scans the QR code with a targeted mobile app
- The attacker captures the login session and gain control
- The server is exchaning the victim’s data with the attacker’s session
image by OWASP
Commands and Flags Used
- Options
Display available options
- Set port – /set host –
Setting port and host of the attacker’s web server hosting the fake QR login page
- Sessions -l
Display captured sessions information
- Sessions -i ID
Interact with a captured session by ID
How Phishing can be done?
- Spam emails, social media
- Third-party login
- Fake website domain name
Implications
- Account Hijacking
The attacker is able to get access to the victim’s account
- Information Disclosure
The victim’s data is transferred to the attacker’s session
- Contact Phishing
The attacker is able to fauad the victim’s contact and lead to reputation loss
Advantages & Shortcomings
Advantages
- Easy to hidden its true content
- QR code has popularity
Shortcomings
- Hard to keep unnoticed by victims
- Session timeout
- Victims regain control by logging out from their mobile end
- Third party warning may remind the victim of redirecting to external webpage
Tool Command List
Session management commands Usage: sessions -flag
flag | Description |
---|---|
-h |
Show help message |
-l |
list all captured sessions |
K |
Remove all captured sessions |
s |
search for sessions |
k ID |
Remove a session by ID |
i ID |
Intereact with a captured session by ID |
References
-
http://community102.com/things-you-should-know-about-the-quick-response-qr-code/
-
https://www.fastprint.co.uk/blog/quick-response-codes-what-are-they-and-how-do-they-work.html#:~:text=How%20Does%20A%20QR%20Code%20Work%3F&text=Basically%2C%20a%20QR%20code%20works,represent%20certain%20pieces%20of%20information
-
https://github.com/OWASP/QRLJacking
-
https://owasp.org/www-community/attacks/Qrljacking#:~:text=Overview,way%20to%20login%20into%20accounts
-
https://blog.beaconstac.com/2019/02/year-of-qr-codes/#:~:text=geofencing%20powered%20app.-,How%20popular%20are%20QR%20codes%20in%202021%3F,scan%20QR%20codes%20by%202020