We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use.
Many web apps and services offer the option of using QR codes for logging into the service: chat apps like WhatsApp and Weibo, email service QQ Mail, e-commerce services like Alibaba and Aliexpress, and others.
As detailed by Seekurity Labs researcher Mohamed Abdelbasset Elnouby, QRLJacking (i.e. Quick Response Code Login Jacking) is a method for tricking users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code.
A QRLJacking attack follows these basic steps:
Ultimately, the attacker can take over the victim’s account completely and gather information about the victim’s device and its current location.
“All what the attackers need to do to initial a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones that is displayed in the phishing website they created,” says Elnouby.
He demonstrated the attack against a WhatsApp user in this video:
More details about the attack vector, its usability, possible mitigations, and PoC attack code can be found on GitHub.