QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.

Hacking Whatsapp with QRLJacking

QRLJacker is a highly customizable exploitation framework to demonstrate “QRLJacking Attack Vector” to show how it is easy to hijack services that depend on QR Code as an authentication and login method, Mainly it aims to raise the security awareness regarding all the services using the QR Code as a main way to login users to different services!

In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.

Download QRLJacking from command line

git clone https://github.com/OWASP/QRLJacking.git

Run QRLJacking

cd QRKJacking/QrlJacking-Framework
pip install -r requiremets.txt 
chmod +x QRLJacker.py
python QRLJacker.py

After run, select first option Chat Application

Select WhatsApp. (1)

Wait for a while it will launch an attack. and Just copy the link (for example http://localhost:1337) and send it to the victim or convince victim to scan the malicious QR code.

Performing this phishing attack over the internet you would need to copy the index files located in the framework folder where you download the qrljacking framework earlier.

Always use bulletproof hosting for your hacking scripts and botnets.

Active Vulnerable Apps for QRLJacking

Chat Applications:

WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging

Mailing Services:

QQ Mail (Personal and Business Corporate), Yandex Mail

eCommerce:

Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips

Online Banking:

AliPay, Yandex Money, TenPay

Passport Services “Critical”:

Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc...)

Mobile Management Software:

AirDroid

Other Services:

MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos

QRLJacking Video Tutorial