QRL Jacking: Are QR codes as secure as we believe them to be?

• QRL Jacking or Quick Response Code Login Jacking exploits the popular ‘Login with QR code’ feature.
• It is a type of social engineering attack that potentially allows the hijack of a session.

Scanning QR codes for authentication lets you log in to an app without having to memorize credentials. Chat applications, banking services, eCommerce sites, and passport services are among those that widely use this method of authentication.

These codes are considered to be secure, as they are randomly generated and don’t provide many opportunities for eavesdropping attacks. However, attackers have figured out a way to hijack sessions with fake QR codes.

How does it happen?

The attacker generates a QR code and convinces the victim to scan it with the help of a well-designed phishing page.

• The victim scans the QR code with the targeted mobile application.
• This allows the attacker to gain control of the session and exchange data with the victim’s system.
• A QRL jacking attack requires a server-side script to design the final look. On the client-side, QR code must be cloned and added to a phishing page.

QRL jacking, when combined with other attack techniques such as SSL stripping can cause deeper impacts.

The consequences

This attack can result in:

• Attackers entirely taking over a session, causing account misuse or reputational damage.
• Sensitive information, including SIM details, IMEI number, and location being harvested by malicious actors.
• Sensitive information that the attacker potentially harvests to be modified or removed.

Staying safe

Apart from using QR codes to log in only when necessary, you can also look at a few other ways to prevent this attack.

• Session confirmation through notifications can provide details about the session made by the client or server.
• Implementing IP restrictions will limit authentication on different networks.
• Location-based restriction is another solution that can minimize attacks.
• Sound-based authentication, or generating unique data that is converted to audio and then back to its original form using relevant technology may also help.