Saturday, 9 December 2017

QRLJACKING-PROTECT YOURSELF



Week Two ↓


Many websites and applications like Whatsapp, WeCHat, AliPay, require Quick response (QR) based authentication that relies on QR-code. This allows you to log in without the use of passwords. Before this authentication system, “traditional credential-base authentication systems existed which were vulnerable to phishing attacks” (OWASP, 2017). Another drawback of this technique is the “password fatigue” (OWASP, 2017); one in which a user will need to remember a plethora of passwords. Then came Single Sign-On (SSO) and One Time Passwords (OTP) to help mitigate these risks. The QR-code based login was introduced as a modification of SSO where a user scans a QR code generated by the service he is trying to log in to; to get the required access. The QRLJacking attack uses a social engineering approach to hijack a user’s session.
“QRLJacking or Quick Response Code Login Jacking is an attack vector capable of session hijacking and affecting all applications that rely on the Login with QR code feature as a secure way to login into accounts” (Mohamed, 2016). The attacker just needs to convince the victim into scanning the attacker’s QR code.

Attack Sequence
  • The Hacker clones the login QR code into a spoofed page and initiates a client side QR session;
  • The victim scans the QR code upon receiving the phishing page using the targeted application;
  • A token is sent to the target service and the hacker gains control of the victims account (Swati, 2016).

This can be done automatically by using the QRLJacking Exploitation Framework. After downloading the framework,


QRLJacking Mitigation techniques 
  • Authentication restriction by Network Identifier and location as a hacker will probably be sited remotely;
  • Session Confirmation by displaying some information about the session made;
  • Two factor Authentication; a password or User ID can be used to supplement the QR login (OWASP, 2016).
Having put these techniques in place, it is also recommended to avoid using login with QR codes as much as possible.

References
Swati K. (July, 2016). QRLJacking – Hacking Technique to Hijack QR Code Based Quick Login System. Retrieved from https://thehackernews.com/2016/07/qrljacking-hacking-qr-code.html

OWASP (July, 2017). QRLJacking. Retrieved from https://www.owasp.org/index.php/Qrljacking

Mohamed A. (November, 2016). QRLJacking – A New Social Engineering Attack Vector. Retrieved from https://github.com/OWASP/QRLJacking



Video Credit: Mohamed A. Baset (seekurity.com). Jul 21, 2016






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)