QRLJacking A New Social Engineering Attack Vector
QRLJacking A New Social Engineering Attack Vector

QRLJacking: A New Social Engineering Attack Vector

QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.

QRLJacker QRLJacking Exploitation Framework
QRLJacker: QRLJacking Exploitation Framework

Technical Paper

The technical paper clarifying everything about the QRLJacking attack vector can be found directly via our Wiki.

Installing

Prerequisites before installing:

  1. Linux or MacOS. (Not working on windows)
  2. Python 3.7+

Note

Don’t install QRLJacker and Firefox as root in a regular user’s session because it’s not supported by Firefox which would give error on running modules in framework.

Important note: If you have multiple python version, use python3.7 command instead of python3 in the following steps and use python3.7 -m pip instead of pippip3 or even python3 -m pip because that’s the reason of 95% of the issues opened here. I think people often skip the important parts.

"
"
  1. Update Firefox browser to the latest version
  2. Install the latest geckodriver from here and extract the file then do:
chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver
  1. Clone the repo with:
git clone https://github.com/OWASP/QRLJacking
cd QRLJacking/QRLJacker
  1. Install all the requirements with
pip install -r requirements.txt
  1. Now you can run the framework with
python3 QrlJacker.py --help

Tested on

  • Ubuntu 18.04 Bionic Beaver
  • Kali Linux 2018.x and up

Usage

Commandline arguments

usage: QrlJacker.py [-h] [-r ] [-x ] [--debug] [--dev] [--verbose] [-q]

optional arguments:
  -h, --help  show this help message and exit
  -r          Execute a resource file (history file).
  -x          Execute a specific command (use ; for multiples).
  --debug     Enables debug mode (Identifying problems easier).
  --dev       Enables development mode (Reloading modules every use).
  --verbose   Enables verbose mode (Display more details).
  -q          Quit mode (no banner).

Main menu help

General commands
=================
	Command               Description
	---------             -------------
	help/?                Show this help menu.
	os      <command>     Execute a system command without closing the framework
	banner                Display banner.
	exit/quit             Exit the framework.

Core commands
=============
	Command               Description
	---------             -------------
	database              Prints the core version, check if framework is up-to-date and update if you are not up-to-date.
	debug                 Drop into debug mode or disable it. (Making identifying problems easier)
	dev                   Drop into development mode or disable it. (Reload modules every use)
	verbose               Drop into verbose mode or disable it. (Make framework displays more details)
	reload/refresh        Reload the modules database.

Resources commands
==================
	Command               Description
	---------             -------------
	history               Display commandline most important history from the beginning.
	makerc                Save the most important commands entered since start to a file.
	resource  <file>      Run the commands stored in a file.

Sessions management commands
============================
	Command               Description
	---------             -------------
	sessions (-h)         Dump session listings and display information about sessions.
	jobs     (-h)         Displays and manages jobs.

Module commands
===============
	Command               Description
	---------             -------------
	list/show             List modules you can use.
	use      <module>     Use an available module.
	info     <module>     Get information about an available module.
	previous              Runs the previously loaded module.
	search   <text>       Search for a module by a specific text in its name or in its description.

Module menu help

General commands
=================
	Command               Description
	---------             -------------
	help/?                Show this help menu.
	os      <command>     Execute a system command without closing the framework
	banner                Display banner.
	exit/quit             Exit the framework.

Core commands
=============
	Command               Description
	---------             -------------
	database              Prints the core version and then check if it's up-to-date.
	debug                 Drop into debug mode or disable it. (Making identifying problems easier)
	dev                   Drop into development mode or disable it. (Reload modules every use)
	verbose               Drop into verbose mode or disable it. (Make framework displays more details)
	reload/refresh        Reload the modules database.

Resources commands
==================
	Command               Description
	---------             -------------
	history               Display commandline most important history from the beginning.
	makerc                Save the most important commands entered since start to a file.
	resource  <file>      Run the commands stored in a file.

Sessions management commands
============================
	Command               Description
	---------             -------------
	sessions (-h)         Dump session listings and display information about sessions.
	jobs     (-h)         Displays and manages jobs.

Module commands
===============
	Command               Description
	----------            --------------
	list/show             List modules you can use.
	options               Displays options for the current module.
	set                   Sets a context-specific variable to a value.
	run                   Launch the current module.
	use     <module>      Use an available module.
	info    <module>      Get information about an available module.
	search  <text>        Search for a module by a specific text in its name or in its description.
	previous              Sets the previously loaded module as the current module.
	back                  Move back from the current context.

Sessions command help menu

usage: sessions [-h] [-l] [-K] [-s] [-k] [-i]

optional arguments:
  -h   Show this help message.
  -l   List all captured sessions.
  -K   Remove all captured sessions.
  -s   Search for sessions with a specifed type.
  -k   Remove a specifed captured session by ID
  -i   Interact with a captured session by ID.

Jobs command help menu

usage: jobs [-h] [-l] [-K] [-k]

optional arguments:
  -h   Show this help message.
  -l   List all running jobs.
  -K   Terminate all running jobs.
  -k   Terminate jobs by job ID or module name

Vulnerable Web Applications and Services

There are a lot of well-known web applications and services which were vulnerable to this attack until the date we wrote this paper. Here are some examples (that we have reported) including, but not limited to:

  • Chat Applications:

WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging

  • Mailing Services:

QQ Mail (Personal and Business Corporate), Yandex Mail

"
"
  • eCommerce:

Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips

  • Online Banking:

AliPay, Yandex Money, TenPay

  • Passport Services “Critical”:

Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc…)

  • Mobile Management Software:

AirDroid

  • Other Services:

MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos

Dark Mode

QRLJacking (this link opens in a new window) by OWASP (this link opens in a new window)

QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.