QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.
Technical Paper
The technical paper clarifying everything about the QRLJacking attack vector can be found directly via our Wiki.
Installing
Prerequisites before installing:
- Linux or MacOS. (Not working on windows)
- Python 3.7+
Important note: If you have multiple python version, use python3.7
command instead of python3
in the following steps and use python3.7 -m pip
instead of pip
, pip3
or even python3 -m pip
because that’s the reason of 95% of the issues opened here. I think people often skip the important parts.
- Update Firefox browser to the latest version
- Install the latest geckodriver from here and extract the file then do:
chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver
- Clone the repo with:
git clone https://github.com/OWASP/QRLJacking
cd QRLJacking/QRLJacker
- Install all the requirements with
pip install -r requirements.txt
- Now you can run the framework with
python3 QrlJacker.py --help
Tested on
- Ubuntu 18.04 Bionic Beaver
- Kali Linux 2018.x and up
Usage
Commandline arguments
usage: QrlJacker.py [-h] [-r ] [-x ] [--debug] [--dev] [--verbose] [-q]
optional arguments:
-h, --help show this help message and exit
-r Execute a resource file (history file).
-x Execute a specific command (use ; for multiples).
--debug Enables debug mode (Identifying problems easier).
--dev Enables development mode (Reloading modules every use).
--verbose Enables verbose mode (Display more details).
-q Quit mode (no banner).
Main menu help
General commands
=================
Command Description
--------- -------------
help/? Show this help menu.
os <command> Execute a system command without closing the framework
banner Display banner.
exit/quit Exit the framework.
Core commands
=============
Command Description
--------- -------------
database Prints the core version, check if framework is up-to-date and update if you are not up-to-date.
debug Drop into debug mode or disable it. (Making identifying problems easier)
dev Drop into development mode or disable it. (Reload modules every use)
verbose Drop into verbose mode or disable it. (Make framework displays more details)
reload/refresh Reload the modules database.
Resources commands
==================
Command Description
--------- -------------
history Display commandline most important history from the beginning.
makerc Save the most important commands entered since start to a file.
resource <file> Run the commands stored in a file.
Sessions management commands
============================
Command Description
--------- -------------
sessions (-h) Dump session listings and display information about sessions.
jobs (-h) Displays and manages jobs.
Module commands
===============
Command Description
--------- -------------
list/show List modules you can use.
use <module> Use an available module.
info <module> Get information about an available module.
previous Runs the previously loaded module.
search <text> Search for a module by a specific text in its name or in its description.
Module menu help
General commands
=================
Command Description
--------- -------------
help/? Show this help menu.
os <command> Execute a system command without closing the framework
banner Display banner.
exit/quit Exit the framework.
Core commands
=============
Command Description
--------- -------------
database Prints the core version and then check if it's up-to-date.
debug Drop into debug mode or disable it. (Making identifying problems easier)
dev Drop into development mode or disable it. (Reload modules every use)
verbose Drop into verbose mode or disable it. (Make framework displays more details)
reload/refresh Reload the modules database.
Resources commands
==================
Command Description
--------- -------------
history Display commandline most important history from the beginning.
makerc Save the most important commands entered since start to a file.
resource <file> Run the commands stored in a file.
Sessions management commands
============================
Command Description
--------- -------------
sessions (-h) Dump session listings and display information about sessions.
jobs (-h) Displays and manages jobs.
Module commands
===============
Command Description
---------- --------------
list/show List modules you can use.
options Displays options for the current module.
set Sets a context-specific variable to a value.
run Launch the current module.
use <module> Use an available module.
info <module> Get information about an available module.
search <text> Search for a module by a specific text in its name or in its description.
previous Sets the previously loaded module as the current module.
back Move back from the current context.
Sessions command help menu
usage: sessions [-h] [-l] [-K] [-s] [-k] [-i]
optional arguments:
-h Show this help message.
-l List all captured sessions.
-K Remove all captured sessions.
-s Search for sessions with a specifed type.
-k Remove a specifed captured session by ID
-i Interact with a captured session by ID.
Jobs command help menu
usage: jobs [-h] [-l] [-K] [-k]
optional arguments:
-h Show this help message.
-l List all running jobs.
-K Terminate all running jobs.
-k Terminate jobs by job ID or module name
Vulnerable Web Applications and Services
There are a lot of well-known web applications and services which were vulnerable to this attack until the date we wrote this paper. Here are some examples (that we have reported) including, but not limited to:
- Chat Applications:
WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging
QQ Mail (Personal and Business Corporate), Yandex Mail
Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips
AliPay, Yandex Money, TenPay
Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc…)
AirDroid
MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos
QRLJacking (this link opens in a new window) by OWASP (this link opens in a new window)
QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.