QRL Jacking: Are QR codes as secure as we believe them to be?

Scanning QR codes for authentication lets you log in to an app without having to memorize credentials. Chat applications, banking services, eCommerce sites, and passport services are among those that widely use this method of authentication.

These codes are considered to be secure, as they are randomly generated and don’t provide many opportunities for eavesdropping attacks. However, attackers have figured out a way to hijack sessions with fake QR codes.


How does it happen


The attacker generates a QR code and convinces the victim to scan it with the help of a well-designed phishing page. The victim scans the QR code with the targeted mobile application. This allows the attacker to gain control of the session and exchange data with the victim’s system. A QRL jacking attack requires a server-side script to design the final look. On the client-side, QR code must be cloned and added to a phishing page. QRL jacking, when combined with other attack techniques such as SSL stripping can cause deeper impacts.


The consequences


Attackers entirely taking over a session, causing account misuse or reputational damage. Sensitive information, including SIM details, IMEI number, and location being harvested by malicious actors. Sensitive information that the attacker potentially harvests to be modified or removed.


Be Safe


  • Session confirmation through notifications can provide details about the session made by the client or server.
  • Implementing IP restrictions will limit authentication on different networks.
  • Location-based restriction is another solution that can minimize attacks.
  • Sound-based authentication, or generating unique data that is converted to audio and then back to its original form using relevant technology may also help.