Abstraction

We are in an era where passwords are going to be an extinct term. Easy logins, Fingerprints and 2FAs techniques are taking over now. One of the most efficient methods that was presented in August 2013 is “Login using QR Code” which was patented by Google Inc. under the patent number (US20130219479 A1). This form of Login methods promised to combine both usability and security.

With QRLJacking attack vector we proved the opposite, Can QR codes be logged by a Keylogger, MITMed over network, or even stolen ? of course NO.

Quick Response code Login Jacking or (QRLJacking) is a simple-but-nasty attack vector affecting all the applications that relies on “Login with QR code” feature as a secure way to login into accounts, In a simple way, It’s all about convincing the victim to scan the attacker’s QR code. So simple isn’t it?

Attackers are able now to easily hijack user accounts in an efficient way even if the Login by QR 2FA is enabled which is considered a Single Sign On and the last defense line of authentication.

In this research paper we’re going to demonstrate how this could be done with a real life attack vector to prove how nasty and easy it is.