QRLJacking and Advanced Real Life Attack Vectors
As we all know, If we combine few attack vectors together we can have a greater result. QRLJacking attack can be combined with other powerful attack vectors and techniques to make it more reliable and trustworthy. Here are some examples:
A skilled social engineer attacker will find it easy to convince the victim to scan the QR Code by cloning the whole web application login page with an exact one but with his own attacker side QR Code.
Hacked websites are prone to be injected with a script that displays an Ad or a newly added section displays a cool offer, if the user scanned this QR Code with a specific targeted mobile application his account will be hijacked.
SSL Stripping is an attack vector which is all about striping the SSL encryption of a website and forcing it to work on a non secured version. Web sites without “HSTS Policy” enabled are prone to be stripped which gives the attacker multiple choices to manipulate the content of the website pages by for example, “altering the QR Code login sections”.
A well implemented Login by QR Code feature uses a base64 QR code image generated and well placed in a secured page which will make it very difficult to be manipulated if this website is working over HTTPS and forcing HSTS, but unfortunately a lot of web applications and services uses a CDN based QR image generation process. These CDNs themselves are sometimes stored on servers vulnerable to HTTPS Downgrading attacks. Attackers will find a way to downgrade these secure connections, redirect the CDN URLs to his own QR Code, and since the QR Code is an image this will result in a “passive mixed content” hence the browser will not find any problems viewing it on the web application login page instead of the original one.
This is the coolest attack vector for attacking the local users which exploits the non secured websites over the Local Area Networks, The attacker here is performing MITM (Man in the Middle Attack) against his local area network, poisoning the traffic on the fly by injecting a JS file on every non secured web page resulting in what is clearly shown in figure(4) below.
Figure(4) - A simple lightbox injected in Amazon’s http website asking the user to scan the QR Code to get a 1 Year as a free service of WhatsApp.
Disclaimer: This issue was reported on Feb 18, 2016 under their Support website and we got no reply (Report Numbers: 24058882 and 24058883)
Bad implementation logic of the QR code logins may result in more easy accounts takeover scenarios. During our research we found a specific example: A chat app asks you to scan other people’s QR code to add them as friends, until here it's normal and there are no problems, but when it comes to the login process it’s a big problem. Unfortunately, the application implemented the “login by QR code” feature on the same screen that you’re using to add a friend, so imagine that someone cloned his login qr code and told you “Hey, This is my QR Code, scan it to be my friend, you scanned it, Boom” you lost your account.
