Strava Technologies (P) LTD
Scanning QR codes for authentication lets you log in to an app without having to memorize credentials. Chat applications, banking services, eCommerce sites, and passport services are among those that widely use this method of authentication.
These codes are considered to be secure, as they are randomly generated and don’t provide many opportunities for eavesdropping attacks. However, attackers have figured out a way to hijack sessions with fake QR codes.
The attacker generates a QR code and convinces the victim to scan it with the help of a well-designed phishing page. The victim scans the QR code with the targeted mobile application. This allows the attacker to gain control of the session and exchange data with the victim’s system. A QRL jacking attack requires a server-side script to design the final look. On the client-side, QR code must be cloned and added to a phishing page. QRL jacking, when combined with other attack techniques such as SSL stripping can cause deeper impacts.
Attackers entirely taking over a session, causing account misuse or reputational damage. Sensitive information, including SIM details, IMEI number, and location being harvested by malicious actors. Sensitive information that the attacker potentially harvests to be modified or removed.
© 2021 Strava Technologies (P) Ltd. All rights reserved