0

I am currently working on a personal project to facilitate the connection of users to a private interface using a mobile application and a QR Code.

Steps:

  1. Users download an application and log in with a username and password.
  2. Users then connect to a web interface with a QR code.
  3. When users scan the QR code with their mobile, the web service allows each user to access his private interface.

In my research, I came across the QRLjacking exploit allowing a hacker to log in with his QR code.

What techniques could be implemented to drastically reduce the risk of hacking?

So far, I have thought of several ways but they are not ideal:

  • Requesting to scan a second QR code once the first has been scanned (thus requiring the hacker to have access to the second QR code).
  • Limit the validity of the QR code to 15 seconds (thus requiring the hacker to act very quickly)
  • Require the user to connect their phone to the same network and include the IP address in the QR code.
Yann Rimbaud
  • 1
  • "thus requiring the hacker to have access to the second QR code" That makes it sound like the attacker is stealing the victim's QR codes somehow, but that's wrong. In QRLjacking, the **victim** scans the **attacker**'s QR code. – Joseph Sible-Reinstate Monica Apr 27 '20 at 23:00

1 Answers1

0

I think it is best you refer to the docs you shared for help with this, as they are reputable and serve as a common reference for most professionals. I will do my best to distill some of the information in the documentation to help.

The first thing you want to consider is how this attack is performed, what attack vectors are used, and what vulnerabilities are being exploited.

The main vulnerability of this system is it is subject to MitM attacks. The attacker will sit in between the victim and your server, pretending present the victim with the QR Code from your site.

The attack vectors are different means of the attacker establishing themselves as middle party in the attack and gaining the trust of the victim [1].

The attack can be performed by the attacker visiting your site and getting a valid QR code. The attacker then presents that QR code to the victim. The victim then authenticates that using your app. Now the attacker has a validated session on your site.

It appears the way to prevent this, to summarize, is to ensure that your site and your app are being used in the same place (though that may not help if the attacker is on the same LAN) as a proxy for ensuring it is being used by the same person [2].

Requesting to scan a second QR code once the first has been scanned (thus requiring the hacker to have access to the second QR code).

The attacker can perform the attack twice, and may still fool the victim

Limit the validity of the QR code to 15 seconds (thus requiring the hacker to act very quickly)

It appears this is generally used as a targeted attack, so timing won't prevent it. The attacker can spear phish the victim within the time window.

Require the user to connect their phone to the same network and include the IP address in the QR code.

This seems to loosely fit with OWASP recommendation, but doesn't prevent attacks that take place on the same network.

They also have a recommendation to have the app use sound based authorization that the site can verify.

My recommendation would be to implement the mitigations recommended by OWASP. In addition to that, I recommend you severely limit what the user can do from the site. Don't implement any account management features from the site (password resets, email changes, username changes, etc). Also, allow the client to revoke access of connected computers, from the app. You may also want to send your user a notification that they are connected from computer X, so they can revoke that access if they suspect they didn't mean to authorize it.

[1] https://github.com/OWASP/QRLJacking/wiki/QRLJacking-and-Advanced-Real-Life-Attack-Vectors

[2] https://github.com/OWASP/QRLJacking/wiki/QRLJacking-and-Advanced-Real-Life-Attack-Vectors

iraleigh
  • 326
  • 2
  • 11