QRL Jacking

Quick Response Code Login Jacking (also known as QRL Jacking) is a social engineering attack by which the attacker can hijack the session, affecting all applications that depends on the “Login with QR code” feature as a secure way to login into their respective accounts. In simpler words, the attacker’s QR code is scanned by victim which results in session hijacking.

For example: by using the QRL Jacking tool, the attacker can create a phishing page of the WhatsApp web’s QR Code. When the victim scans this QR Code from his/her device, the generated authentication token is then sent to the attacker’s server. The attacker then verifies the authentication token from the WhatsApp web website; he can then see the victim’s messages.

  1. The attacker generates a QR session and clones the Login QR code into a phishing website. Then the well-crafted phishing page with a valid and updated QR code is ready to be sent to the victim.
  2. After that, the attacker sends the phishing page to the victim by using his social engineering skills.
  3. Victim will scan the QR Code with a specific device.
  4. The attacker gains control of the victim’s account.
  5. The victim’s data is exchanged with the attacker’s session.


On Windows

After downloading the Framework and Python:

  1. cd QrlJacking-Framework
  2. pip install -r requirements.txt
  3. python .py

On Ubuntu or Kali Linux

  1. git clone https://github.com/OWASP/QRLJacking
  2. cd QrlJacking-Framework
  3. pip install -r requirements.txt
  4. python .py

On OSX

  1. git clone https://github.com/OWASP/QRLJacking
  2. cd Qrl Jacking-Framework
  3. sudo easy_install pip
  4. sudo pip install -r requirements.txt
  5. python .py

The QRL Jacking consists of two sides:

  1. Server Side: A server-side script is needed to serve and shape the final look to the victim.
  2. Client Side: Cloning the QR Code and pushing it to the phishing page.


Let’s take an example from one (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sayaala. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/iGFrmEqwAFQ/