QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers. To hack qr code based login system is not a easy task and we are not dealing with here! I’m just giving you some details about it.
This attack vector is made by Mohamed Abdelbasset Elnouby
(@SymbianSyMoh) security researcher from Seekurity Labs.
Using QRLJacking you can use to hijack session for following services:
WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging
QQ Mail (Personal and Business Corporate), Yandex Mail
Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips
AliPay, Yandex Money, TenPay
Passport Services “Critical”:
Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc…)
Mobile Management Software:
MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos
If you want to try it and check how to prepare everything, you can check official OWASP’s GitHub repository for QRLJacking Attack Vector
Hack hack hack !