Logging in via QR code is something that more websites are starting to embrace. Some of those websites include Discord, Telegram, Whatsapp, Steam and Tiktok. Rather than having to enter a username/password in the website, you use the application’s mobile app to scan the QR code. Security researcher Kuba Gretzky from breakdev.org published an article demonstrating how attackers could take over accounts by convincing users to scan supplied QR codes using phishing techniques. He did so by creating the Evil QR Toolkit which is a browser extension and web server combination. The toolkit captures the QR code that the attacker is presented with and display them to the victim using phishing techniques. Should the victim take the bait and sign in using the QR code, the attacker would be automatically logging into the website as them. All this without the knowledge of the victim. While such attacks results in account takeovers, the security researcher commented that it is a sophisticated attack with a lot of prerequisites to be successful. One of which being that QR codes session tokens expires after 30 seconds and a new code is regenerated. Read more about it at breakdev.org
https://breakdev.org/evilqr-phishing/
This segment was created for the It’s 5:05 podcast