Do you realize that you can get to your WeChat, Line and WhatsApp visits on your desktop also utilizing a totally extraordinary, however quickest verification framework?
It’s SQRL, or Secure Quick Response Login, a QR-code-based verification framework that enables clients to rapidly sign into a site without memorizing or sort in any username or secret key. QR codes are two-dimensional standardized tags that contain a lot of data, for example, a mutual key or session threat.
A site that actualizes QR-code-based validation framework would show a QR code on a PC screen and any individual who needs to sign in would filter that code with a cell phone application. Once checked, the site would log the client in without writing in any username or watchword.
Since passwords can be stolen utilizing a keylogger, a man-in-the-center (MitM) assault, or even beast constrain assault, QR codes have been viewed as secure as it haphazardly produces a mystery code, which is never uncovered to any other person.
In any case, no innovation is insusceptible to being hacked when hackers are inspired.
QRLJacking: Hijacking QR Code Based Login System
Egyptian Information security specialist and Cyber Security Advisor at Seekurity Inc. Mohamed Abdelbasset Elnouby has thought of a proof-of-idea exhibiting another session commandeering method that can be utilized to hack accounts from administrations that utilization “Login with QR code” include as a safe approach to login to accounts.
Named QRLJacking (or Quick Response code Login Jacking), the system is a “basic yet awful assault vector” that influences every one of the applications that depend on Login with QR code highlight.
Here’s How QRLJacking Technique Works:
Here’s how the attack works:
The attacker initializes a client side QR session and clones the Login QR Code into a phishing page.
The attacker then sends the phishing page to the victim.
If convinced, the victim scans the QR Code with a specific targeted Mobile App.
The mobile app sends the secret token to the target service to complete the authentication process.
As a result, attacker, who initializes a client side QR session, gains control over the victim’s account.
Then the service starts exchanging all the victim’s data with the attacker’s browser session.
So, to carry out a successful QRLJacking attack, all an attacker needs:
A QR Code Refreshing Script.
A well crafted Phishing Web page.
Video Demonstration: Hacking Whatsapp Account Using QRLJacking
An effective QRLJacking assault gives an aggressor the capacity to apply a full record commandeering situation on the defenseless QR-Code-based Login benefit bringing about record capturing and other data like casualty’s exact current GPS area, gadget IMEI number, SIM card information and other touchy information that the customer application presents at the login procedure.
She is Security Researcher at Intel Security & Certified Ethical Hacker (CEHv8), Certified Spam Fighter, Cyber Forensics Investigator with more than 4 years experience in various domains of Information Security.