QR codes, or Quick Response codes, are pretty cool. They can be used to encode essentially all things alphanumeric and digital. Plus they look kind of futuristic. QR codes are a technical enhancement of bar codes (X-axis—left to right). While bar codes are considered one-dimensional, QR codes are two-dimensional (X and Y axes—left to right and top to bottom). QR codes can store up to 7089 digits or 4296 characters. This includes punctuation marks and special characters. So QR codes can be used to encode words, phrases, internet URLs, and login credentials too.
But for all their convenience, QRL codes are also an online attack vector. Enter QRLjacking.
QR code history
QR codes were created by a Japanese manufacturing company called Denso Wave. The company needed a better coding system that could handle more data (capable of encoding more characters) than traditional barcodes. The company needed this in order to be able to track the increasing number of vehicles and parts it was manufacturing. Denso Wave employee, Masahiro Hara, with a team of two colleagues, developed what we now know as QR codes. QR codes have been available since 1994.
What are QRLs?
QRLs, or Quick Response Code Login, is an alternative to password-based authentication. QRLs allow users to log in to their accounts by scanning (taking a photograph) a QR code, which has encoded the user’s login credentials. So, yes that means you need a device equipped with a camera that is able to interpret QR codes. But most smartphones and computers you buy today have that functionality built-in.
QRL, or Quick Response Code Login, emerged as a way to overcome two of the main grievances affecting traditional password-based logins.
- Password fatigue: With the number of online services growing on a daily basis, asking a user to come up with and remember a secure password for each of their accounts quickly becomes unmanageable. So people end up reusing the same passwords for multiple sites/services. That’s a very bad idea for many reasons. Namely because if a password you use for many services is ever compromised, your account for all of those services is compromised. That effectively multiplies the damage by the number of sites/services that share that password. For more information, you can read our dedicated article on reusing passwords.
- Replay attacks: Traditional password-based credentials are vulnerable to replay attacks. A replay attack is a type of man-in-the-middle attack, in which the transmission of legitimate data (a user’s login credentials, for example) is delayed and intercepted by the attacker, who then retransmits the intercepted data in order to impersonate the actual user and potentially steal their data. Because QRLs change with each login attempt, it closes the door on these types of attacks.
But that doesn’t mean QRLs are invulnerable, by any means, as we’ll see.
What is QRLjacking?
QRLjacking is an online attack that consists of fooling an unsuspecting user into scanning the QRL provided by the attacker rather than the actual QRL issued by the service provider. Once the user scans the malicious QRL, the attacker gains access to the user’s account and bad things happen.
QRLjacking, like many online attacks, requires some form of social engineering to fool the victim into scanning the compromised QRL.
Here is an example of a typical QRLjacking attack:
- The attacker initiates a client-side QR session for the website/service in question.
- The attacker then clones the Login QR code to a fake login page closely mimicking a legitimate online service. The QR codes it displays are valid and regularly updated.
- Using some form of social engineering, the attacker sends the fake page to the victim. This can be an email with a URL, a Facebook post, even a text message, whatever, as long as it tricks the victim into clicking the link.
- The user scans the malicious QRL with the mobile application the QRL was crafted for.
- The attacker gains access to the victim’s account and the online service is none the wiser as it shares the user’s data with the attacker.
Real-world QRLjacking attacks
In April 2019, OWASP.org, The Open Web Application Security Project, created a GitHub repository hosting software tools to perpetrate QRLjacking attacks, complete with instructions and a Wiki. Security researchers sometimes post “nasty” stuff for research purposes.
On the GitHub page, OWASP lists the online services that, in April 2019, were known to be vulnerable to QRLjacking attacks. I’ve reproduced the list below. Some of the online services that made OWASP’s list may surprise you.
Most of these services are Chinese or Russian, where QR codes are much more common.
- QQ Instant Messaging
- QQ Mail (Personal and Business Corporate),
- Yandex Mail
- Taobao Trips
- Yandex Money
- Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc…)
Mobile Management Software
- Zapper & Zapper WordPress Login by QR Code plugin
- Trustly App
- Alibaba Yunos
Mitigating QRLjacking attacks
There isn’t much users can do to protect against QRLjacking attacks beyond not using QRLs at all. In fact, it’s OWASP’s number one recommendation in mitigating QRLjacking.
Beyond that, there are a few measures that website administrators can take to minimize the attack surface. Although, they should also stop using it as a means to authenticate their users. But if you must use QRLs, here are a few security tips.
The website/service sends a confirmation email or SMS message to the user, after they’ve logged in with the QRL. That way, the user could determine something’s up if they don’t receive the confirmation message.
Restricted IP addresses
Restricting the IP addresses that can use the QRL is another way to mitigate QRLjacking attacks. The user needs to request the QRL from the site/service, so the service knows their IP address by this point. This would block the authentication request from the attacker’s server. However, there are ways an attacker could spoof their IP address and potentially bypass this security measure.
Similar to the above, another mitigation measure would be to restrict the locations from which authentication requests are accepted. Because the website/service inevitably knows the user’s IP address, it also knows their general location. While not foolproof, this could thwart an authentication request from the attacker as long as the malicious server is not in the same general location as the victim.
But again, these are relatively impractical mitigation measures. And none of them are silver bullets. Number one is theoretical. Number two isn’t that difficult to circumvent. And number three will not work if the attacker’s server is in the same general location as the victim.
So the best mitigation is not to use QRLs at all.
If, as a user, you must use QRLs, here’s some common sense advice that may help you out. These are things you should be doing anyway. Not just in a context in which you’re trying to defend against QRLjacking.
- Use a firewall—All major operating systems have a built-in incoming firewall and all commercial routers on the market have a built-in NAT firewall. Make sure these are enabled as they may protect you in the event that you click a malicious link.
- If your web browser displays a warning about a website you’re trying to access or its SSL certificate, pay attention, and navigate away from that site.
- Don’t click links or attachments in emails unless you know exactly who sent it and what it is.
Security and convenience are in a constant balancing act. Internet for the masses requires both, but the equilibrium is difficult to find. However, sometimes convenience is exaggerated. For example, are QRLs that much more convenient than one-time passwords (OTP)? Think about it, you still need to pull out your phone, launch the camera app, and take a picture. Is that so much more convenient than opening an OTP app and copying and pasting it? I’m not sure it is. And, are we now just so “internet-lazy” that an extra swipe or two becomes a dealbreaker?
While convenience may be convenient (nice truism, no?) it isn’t always secure. And while the internet can show us a lot of fun and interesting things, never forget that the internet is a hostile place with no shortage of individuals and organizations that want a piece of you. So don’t use QRLs—at least for your more important online accounts. And while perhaps not as convenient as your web browser’s auto-login feature, OTPs, while not perfect, will provide much better security than QRLs. A slight drop in convenience often yields important security gains.