
QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
Hacking Whatsapp with QRLJacking
QRLJacker is a highly customizable exploitation framework to demonstrate “QRLJacking Attack Vector” to show how it is easy to hijack services that depend on QR Code as an authentication and login method, Mainly it aims to raise the security awareness regarding all the services using the QR Code as a main way to login users to different services!
In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.
Download QRLJacking from command line
git clone https://github.com/OWASP/QRLJacking.git
Run QRLJacking
cd QRKJacking/QrlJacking-Framework pip install -r requiremets.txt chmod +x QRLJacker.py python QRLJacker.py
After run, select first option Chat Application
Select WhatsApp. (1)
Wait for a while it will launch an attack. and Just copy the link (for example http://localhost:1337) and send it to the victim or convince victim to scan the malicious QR code.
Performing this phishing attack over the internet you would need to copy the index files located in the framework folder where you download the qrljacking framework earlier.
Always use bulletproof hosting for your hacking scripts and botnets.
Active Vulnerable Apps for QRLJacking
Chat Applications:
WhatsApp, WeChat, Line, Weibo, QQ Instant Messaging
Mailing Services:
QQ Mail (Personal and Business Corporate), Yandex Mail
eCommerce:
Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips
Online Banking:
AliPay, Yandex Money, TenPay
Passport Services “Critical”:
Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc...)
Mobile Management Software:
AirDroid
Other Services:
MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos
QRLJacking Video Tutorial