This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Qrljacking"

From OWASP
Jump to: navigation, search
(Created page with "=Main= <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">link=</div> {| style="padding: 0;margin:0;margin-top:10px;t...")
 
(QRLJacking updated)
Line 1: Line 1:
=Main=
+
QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all applications that relay on “Login with QR code” feature as a secure way to login into accounts. In a simple way, It’s all about convincing the victim to scan the attacker’s QR code.
  
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
  
<span style="color:#ff0000">
+
= Login With QR codes, a feature or a bug? (Security vs Usability) =
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
+
When it comes to authentication, any given system that doesn’t attain the state of balance between being sufficiently usable and secure is basically an impractical authentication system. Since the very beginning, the traditional credentials-based authentication system has taken dominance over any other alternatives. But not without many shortcomings, from risks like replay and phishing attacks to intrinsic problems like the "password fatigue” problem (in which a user is burdened with the need to remember an excessive number of passwords as part of his daily routine), we are left with non-trivial design flaws that need to be addressed.  
</span>
 
  
==OWASP Tool Project Template==
+
Later on, new approaches have emerged to address these problems. One approach is the single sign-on system (a.k.a SSO), where a user can simply have one single account that enables him to authenticate to multiple services. This somewhat resolves the aforementioned "password fatigue” problem as a user no longer needs to burden himself with too many passwords to remember and no longer is tempted to develop bad habits like reusing the same password over and over again. But still it doesn’t come without its own shortcomings, as in this case, losing the one password will prevent access to all services associated with the SSO system; let alone the potential risk of mass account compromisation.  
<span style="color:#ff0000">
 
This section should include an overview of what the project is, why the project was started, and what security issue is being addressed by the project deliverable. Some readers may be discouraged from looking further at the project if they do not understand the significance of the security concern that is being addressed, so provide enough context so the average reader will continue on with reading the description. You shouldn't assume the reader will understand the objective by providing security terminology, e.g. this project builds cryptographic algorithms, but should also endeavor to explain what they are used for.
 
</span>
 
  
The OWASP Tool Template Project is a template designed to help Project Leaders create suitable project pages for OWASP Projects.  By following the instructional text in red (and then deleting it) it should be easier to understand what information OWASP and the project users are looking for.  And it's easy to get started by simply creating a new project from the appropriate project template.
+
Another approach that has been introduced is what’s called “one-time password (OTP)”, which tries to mitigate many risks such as replay attacks and any potential of phishing attacks to some extend. But on the downside, these passwords are typically hard to memorise, and therefore, they require additional technology to be deployed.  
  
==Description==
+
Recently, a new SSO model that relies on QR-code-based one-time passwords has been introduced to further address such flaws. In a QR-code-based login, a user may only need to scan a QR code generated by the service he’s trying to authenticate to, and then a client app on a trusted device such as a smartphone would scan and transmit the QR code to an identity provider in order to validate it and further authenticate the user to the destination service. Hence conducting a seamless and safe login process even on a potentially compromised device. But as we explain in detail later––depending on the implementation––such approach can be easily abused to fool a user into authenticating a malicious attacker on behalf of himself to sensitive web services, defeating the whole point of such an approach!
<span style="color:#ff0000">
 
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful. 
 
</span>
 
  
The Tool Project Template is simply a sample project that was developed for instructional purposes that can be used to create default project pages for a Tool project.  After copying this template to your new project, all you have to do is follow the instructions in red, replace the sample text with text suited for your project, and then delete the sections in red.  Doing so should make it clearer to both consumers of this project, as well as OWASP reviewers who are trying to determine if the project can be promoted to the next category.  The information requested is also intended to help Project Leaders think about the roadmap and feature priorities, and give guidance to the reviews as a result of that effort.
 
  
Creating a new set of project pages from scratch can be a challenging task.  By providing a sample layout, with instructional text and examples, the OWASP Tool Project Template makes it easier for Project Leaders to create effective security projects and hence helps promote security.
 
  
Contextual custom dictionary builder with character substitution and word variations for pen-testers
+
= Related researches and projects about “Login by QR Code” =
 +
'''1. Login Using QR Code (Google Patents / US 20130219479 A1)'''
  
==Licensing==
+
Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a website login or to collect information for the website. A user may securely transact with the website from unsecured devices by entering sensitive information into the trusted device. The identity provider may generate the QR code for display by the website on an unsecured device. A user running an application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and may receive credential information to authenticate the user or may collect information for the website. Advantageously, the user may perform a safe login to the website from untrusted devices using the trusted device
<span style="color:#ff0000">
 
A project must be licensed under a community friendly or open source license.  For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.  This example assumes that you want to use the AGPL 3.0 license.
 
</span>
 
  
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.  OWASP XXX and any contributions are Copyright &copy; by {the Project Leader(s) or OWASP} {Year(s)}. 
 
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
'''2. Smartphone Login Using QR Code (Google Patents / US 20130167208 A1)'''
  
== Project Resources ==
+
Systems and methods are disclosed for a user to use a mobile device such as a smart phone to scan a QR (Quick Response) code displayed on a login webpage of a website. The QR code may encode a server URL of the website. The mobile device decodes the QR code and transmits a device ID and other decoded information to a service provider. The service provider locates login credentials of the user linked to the device ID and communicates the login credentials to a website server for user authentication. Alternatively, the mobile device may transmit its device ID to the website server for the website server to locate a user account linked to the device ID for user login. Alternatively, the mobile device may transmit stored login credentials to the website server. Advantageously, a user may access a website without the need to provide any login credentials.
<span style="color:#ff0000">
 
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.  
 
</span>
 
  
[https://github.com/SamanthaGroves Installation Package]
 
  
[https://github.com/SamanthaGroves Source Code]
+
'''3. SQRL Project'''
  
[https://github.com/SamanthaGroves What's New (Revision History)]
+
SQRL or Secure, Quick, Reliable Login (pronounced "squirrel" /ˈskwɝl/ About this sound en (help·info)) (formerly Secure QR Login) is a draft open standard for secure website login and authentication. The software solution typically uses a QR code, which provides authentication, where a user identifies anonymously rather than providing a user ID and password. This method is thought to be impervious to a brute force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of Authentication protocol, without revealing any information about the transaction to a third party.
  
[https://github.com/SamanthaGroves Documentation]
 
  
[https://github.com/SamanthaGroves Wiki Home Page]
 
  
[https://github.com/SamanthaGroves Issue Tracker]
+
=What is QRLJacking Attack? =
 +
QRLJacking or Quick Response code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts, In a simple way, It’s all about convincing the victim to scan the attacker’s QR code.
  
[https://github.com/SamanthaGroves Slide Presentation]
 
  
[https://github.com/SamanthaGroves Video]
 
  
== Project Leader ==
+
= QRLJacking Attack Flow =
<span style="color:#ff0000">
+
Here’s how the QRLJacking attack works behind the scenes:
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.
 
</span>
 
  
Project leader's name
+
1. The attacker initial a client side QR session and clone the Login QR Code into a phishing website. “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim.”
  
== Related Projects ==
+
2. The Attacker Sends the phishing page to the victim. (a lot of efficient attack vectors are going to be clarified later in the paper)
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.
 
</span>
 
* [[OWASP_Code_Project_Template]]
 
* [[OWASP_Documentation_Project_Template]]
 
  
==Classifications==
+
3. The Victim Scans the QR Code with a Specific Targeted Mobile App.
  
  {| width="200" cellpadding="2"
+
4. The Attacker gains controls over the victim’s Account.
  |-
 
  | colspan="2" align="center"  | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
 
  |-
 
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
 
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] 
 
  |-
 
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
 
  |-
 
  | colspan="2" align="center"  | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
 
  |}
 
  
| valign="top"  style="padding-left:25px;width:200px;" |
+
5. The service is exchanging all the victim’s data with the attacker’s session.
  
== News and Events ==
+
[[File:https://raw.githubusercontent.com/OWASP/QRLJacking/master/blob/images/AttackFlow.JPG]]
<span style="color:#ff0000">
 
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
 
</span>
 
* [12 Feb 2013] Support for Spanish is now available with this release.
 
* [11 Jan 2014] The 1.0 stable version has been released! Thanks everyone for your feedback and code fixes that made this happen!
 
* [18 Dec 2013] 1.0 Release Candidate is available for download.  This release provides final bug fixes and product stabilization.  Any feedback (good or bad) in the next few weeks would be greatly appreciated.
 
* [20 Nov 2013] 1.0 Beta 2 Release is available for download. This release offers several bug fixes, a few performance improvements, and addressed all outstanding issues from a security audit of the code.
 
* [30 Sep 2013] 1.0 Beta 1 Release is available for download.  This release offers the first version with all of the functionality for a minimum viable product.   
 
  
|}
 
  
=FAQs=
 
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
= QRLJacking Implications =
<span style="color:#ff0000">
+
'''1. Accounts Hijacking'''
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
 
</span>
 
  
==How can I participate in your project?==
+
QRLJacking attack gives attackers the ability to apply a full account hijacking scenario on the vulnerable Login with QR Code feature resulting in accounts stealing and reputation affection.
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.  
 
  
==If I am not a programmer can I participate in your project?==
+
'''2. Information Disclosure'''
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.  See the Road Map and Getting Involved tab for more details.
 
  
= Acknowledgements =
+
When the victim scans the QR code he is giving the attacker much more information like for example (his accurate current GPS location, Device type, IMEI, SIM Card Information and any other sensitive information that the client application presents at the login process)
==Contributors==
 
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
'''3. Callback Data Manipulation'''
<span style="color:#ff0000">
 
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
 
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
 
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
 
</span>
 
  
The OWASP Tool Project Template is developed by a worldwide team of volunteers. A live update of project  [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here].  
+
When the attacker receives the data which we clarified in the “Information Disclosure” point, Some of this data is used to communicate with the service servers to clarify some information about the user which can be used later in the user’s application. Unfortunately sometimes this data is exchanged over insecure network connection which makes it easy for this data to be controlled by the attacker giving him the ability to alter or even remove it.
  
The first contributors to the project were:
 
  
* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] who created the OWASP Cornucopia project that the template was derived from
 
* [https://www.owasp.org/index.php/User:Chuck_Cooper Chuck Cooper] who edited the template to convert it from a documentation project to a Tool Project Template
 
* '''YOUR NAME BELONGS HERE AND YOU SHOULD REMOVE THE PRIOR 3 NAMES'''
 
  
= Road Map and Getting Involved =
+
= QRLJacking Requirements =
 +
As mentioned before one of the attack’s advantages relays in it’s simplicity, So all what the attackers need to do to initial a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones that is displayed in the phishing website they created because as we know a well implemented QR Login process should have an expiration interval for the QR codes (during our tests some services doesn’t have that).
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
So all what we need here is: Attacker (Script kiddie as a minimum required skills) + QR Code Refreshing Script (on the attacker side) + well crafted phishing web page/script and a Victim.
<span style="color:#ff0000">
 
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
 
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
 
</span>
 
  
==Roadmap==
 
As of <strong>November, 2013, the highest priorities for the next 6 months</strong> are:
 
<strong>
 
* Complete the first draft of the Tool Project Template
 
* Get other people to review the Tool Project Template and provide feedback
 
* Incorporate feedback into changes in the Tool Project Template
 
* Finalize the Tool Project template and have it reviewed to be promoted from an Incubator Project to a Lab Project
 
</strong>
 
  
Subsequent Releases will add
 
<strong>
 
* Internationalization Support
 
* Additional Unit Tests
 
* Automated Regression tests
 
</strong>
 
  
==Getting Involved==
+
= QRLJacking and Advanced Real Life Attack Vectors =
Involvement in the development and promotion of <strong>Tool Project Template</strong> is actively encouraged!
+
As we all know, If we combined more than one attack vector together we can have a great result. QRLJacking attack can be combined with a powerful attack vectors and techniques to make it more reliable and trustworthy. Here are some examples:
You do not have to be a security expert or a programmer to contribute.
 
Some of the ways you can help are as follows:
 
  
===Coding===
+
'''1. Social Engineering techniques (Targeted Attacks)'''
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
 
===Localization===
 
Are you fluent in another language? Can you help translate the text strings in the <strong>Tool Project Template</strong> into that language?
 
===Testing===
 
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
 
===Feedback===
 
Please use the [https://lists.owasp.org/mailman/listinfo/OWASP_Tool_Project_Template Tool Project Template project mailing list] for feedback about:
 
<ul>
 
<li>What do like?</li>
 
<li>What don't you like?</li>
 
<li>What features would you like to see prioritized on the roadmap?</li>
 
</ul>
 
  
=Minimum Viable Product=
+
A skilled social engineer attacker will find this mission easy to convince the victim to scan the QR Code by cloning the whole web application login page with an exact one but with his own attacker side QR Code.
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
 
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap.  And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
 
</span>
 
  
The Tool Project Template must specify the minimum set of tabs a project should have, provide some an example layout on each tab, provide instructional text on how a project leader should modify the tab, and give some example text that illustrates how to create an actual project.
+
'''2. Highly Trusted Hacked Websites'''
  
It would also be ideal if the sample text was translated into different languages.
+
Hacked websites are prone to be injected with a script that displays an Ad or a newly added section displays a cool offer if the user scanned this QR Code with a specific targeted mobile application his account will be hijacked.
  
=Project About=
+
'''3. SSL Stripping'''
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
 
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
 
</span>
 
  
{{:Projects/OWASP_Example_Project_About_Page}}
+
SSL Stripping is an attack which is all about strip the ssl website and force it to work on a non secured version. Web sites without “HSTS Policy” enabled are prone to be stripped which gives the attacker multiple choices to manipulate the content of the website pages by for example, “altering the QR Code login sections”.
  
__NOTOC__ <headertabs />
+
'''4. Content Delivery Networks (CDNs Downgrading)'''
  
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]
+
A well implemented Login by QR Code feature uses a base64 QR code image generated and well placed in a secured page which will make it very difficult to be manipulated if this website is working over HTTPS and forcing HSTS, but unfortunately a lot of web applications and services uses a CDN based QR image generation process. These CDNs itself are sometimes stored on a servers vulnerable to HTTPS Downgrading attacks. Attackers will find a way to downgrade these secure connections, redirect the CDN URLs to his own QR Code, and since the QR Code is an image this will result in a “passive mixed content” hence the browser will not find any problems by viewing it on the web application login page instead of the original one.
 +
 
 +
'''5. Non-secure Traffic over LAN'''
 +
 
 +
This is the coolest attack vector for attacking the local users which exploits the non secured websites over the Local Area Networks, The attacker here is performing MITM (Man in the Middle Attack) against his local area network, poisoning the traffic on the fly by injecting a JS file on every non secured web page resulting in what is clearly shown in figure(4) below.
 +
 
 +
'''6. Bad Implementation / Logic'''
 +
 
 +
Bad implementation logic of the QR code logins may result into a more easy accounts takeover scenarios. During our research we found a specific example: A chat app asks you to scan other people’s QR code to add them as friends, until here it's normal and there are no problems, but when it comes to the login process it’s a big problem. Unfortunately, the application implemented the “login by QR code” feature on the same screen that you’re using to add a friend, so imagine that someone cloned his login qr code and told you “Hey, This is my QR Code, scan it to be my friend, you scanned it, Boom” you lost your account.
 +
 
 +
 
 +
 
 +
= QRLJacking vs Clickjacking =
 +
As known, clickjacking is all about abusing the style of a sensitive web page hiding and covering and manipulating some elements to convince the victim “for example” to change his account’s main email address and password to the attacker’s one, but what if the attacker succeeded in that and after a while he wants to login to the victim’s account and found that this account has 2 Factor Authentication feature enabled!!!  Of course the attack is ruined and the whole thing became useless.
 +
 
 +
QR Login feature was presented to be Single Sign-On and a 2 Factor Authentication layer and because of that reason it is considered the final defense line that give the users both security and usability. “Scan me to login” it’s so easy, secure and efficient way to login on a daily basis. QRLJacking is here to mess that usability and security implementation.
 +
 
 +
It’s obvious now why is QRLJacking attack is more severe than a regular Clickjacking one.
 +
 
 +
 
 +
 
 +
= Defending against QRLJacking (Recommendations and Mitigations) =
 +
One of the techniques to mitigate this kind of attack [And maintain the same usability level as to not require any additional interaction from the user other than scanning the QR ] is to added sound-based authentication step to the process , we have seen this kind of technology where it is possible to generate unique data and  convert it to audio that can be recognized back into its original form [SlickLogin and Sound-Proof] so it is possible to include this technology in the process .
 +
 
 +
The purposes of this added step is to make sure that scanned QR code is generated in the same physical location as the mobile device that is doing the scan and therefore eliminating the possibility or a remote attacker deceiving the user into scanning his qr code.
 +
 
 +
[[File:https://raw.githubusercontent.com/OWASP/QRLJacking/master/blob/images/NormalLoginScenario.JPG]]
 +
 
 +
 
 +
'''The Attack Scenario (with the mitigation):'''
 +
Attacker visits the website and opens a session.
 +
 
 +
1. The Website Generates QR Code which holds a session key.
 +
 
 +
2. Attacker crafts a phishing website with the received QR Code and sends it to the user.
 +
 
 +
3. User scans the attacker's QR Code in the phishing website.
 +
 
 +
4. The mobile App generates the authentication sound and play it to the phishing website.
 +
 
 +
5. The phishing website fails to process and capture the authentication audio as it requires additional browser permissions.
 +
 
 +
6. Even if the attacker tries to generate the authentication sound based on the (User ID) he still lacks the private key.
 +
 
 +
[[File:https://raw.githubusercontent.com/OWASP/QRLJacking/master/blob/images/AttackerScenario.JPG]]
 +
 
 +
 
 +
 
 +
For more information on QRLJacking tools and extra, please visit the [https://github.com/OWASP/QRLJacking QRLJacking on Github]
 +
 
 +
= References =
 +
* https://www.owasp.org/index.php/Clickjacking
 +
* https://en.wikipedia.org/wiki/SQRL
 +
* https://en.wikipedia.org/wiki/QR_code
 +
* https://en.wikipedia.org/wiki/Single_sign-on
 +
: Mixed Content
 +
* https://https.cio.gov/mixed-content/
 +
: Smart Phone Login Using QR Code
 +
* https://www.google.com/patents/US20130167208
 +
: Login Using QR Code
 +
* http://www.google.com/patents/US20130219479
 +
* https://en.wikipedia.org/wiki/SlickLogin
 +
* http://sound-proof.ch/
 +
 
 +
'''Proof of Concept examples (Videos)'''
 +
* [https://www.youtube.com/watch?v=4QwyBXiZhG0 WhatsApp QRHijacking Vulnerability]
 +
 
 +
* [https://www.youtube.com/watch?v=JCoPSdQvESc WhatsApp Accounts Hijacking and ARP poisoning]
 +
 
 +
* [https://www.youtube.com/watch?v=jenmicugWoo AirDroid vulnerable to QRLJacking Vulnerability]
 +
 
 +
* [https://www.youtube.com/watch?v=lx-qnQ0ltpI Vulnerable Web Applications and Services uses Login by QR Code Feature part #1]
 +
 
 +
* [https://www.youtube.com/watch?v=Nc_NyR06U5Q Vulnerable Web Applications and Services uses Login by QR Code Feature part #2]

Revision as of 18:51, 19 July 2016

QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all applications that relay on “Login with QR code” feature as a secure way to login into accounts. In a simple way, It’s all about convincing the victim to scan the attacker’s QR code.


Login With QR codes, a feature or a bug? (Security vs Usability)

When it comes to authentication, any given system that doesn’t attain the state of balance between being sufficiently usable and secure is basically an impractical authentication system. Since the very beginning, the traditional credentials-based authentication system has taken dominance over any other alternatives. But not without many shortcomings, from risks like replay and phishing attacks to intrinsic problems like the "password fatigue” problem (in which a user is burdened with the need to remember an excessive number of passwords as part of his daily routine), we are left with non-trivial design flaws that need to be addressed.

Later on, new approaches have emerged to address these problems. One approach is the single sign-on system (a.k.a SSO), where a user can simply have one single account that enables him to authenticate to multiple services. This somewhat resolves the aforementioned "password fatigue” problem as a user no longer needs to burden himself with too many passwords to remember and no longer is tempted to develop bad habits like reusing the same password over and over again. But still it doesn’t come without its own shortcomings, as in this case, losing the one password will prevent access to all services associated with the SSO system; let alone the potential risk of mass account compromisation.

Another approach that has been introduced is what’s called “one-time password (OTP)”, which tries to mitigate many risks such as replay attacks and any potential of phishing attacks to some extend. But on the downside, these passwords are typically hard to memorise, and therefore, they require additional technology to be deployed.

Recently, a new SSO model that relies on QR-code-based one-time passwords has been introduced to further address such flaws. In a QR-code-based login, a user may only need to scan a QR code generated by the service he’s trying to authenticate to, and then a client app on a trusted device such as a smartphone would scan and transmit the QR code to an identity provider in order to validate it and further authenticate the user to the destination service. Hence conducting a seamless and safe login process even on a potentially compromised device. But as we explain in detail later––depending on the implementation––such approach can be easily abused to fool a user into authenticating a malicious attacker on behalf of himself to sensitive web services, defeating the whole point of such an approach!


Related researches and projects about “Login by QR Code”

1. Login Using QR Code (Google Patents / US 20130219479 A1)

Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a website login or to collect information for the website. A user may securely transact with the website from unsecured devices by entering sensitive information into the trusted device. The identity provider may generate the QR code for display by the website on an unsecured device. A user running an application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and may receive credential information to authenticate the user or may collect information for the website. Advantageously, the user may perform a safe login to the website from untrusted devices using the trusted device


2. Smartphone Login Using QR Code (Google Patents / US 20130167208 A1)

Systems and methods are disclosed for a user to use a mobile device such as a smart phone to scan a QR (Quick Response) code displayed on a login webpage of a website. The QR code may encode a server URL of the website. The mobile device decodes the QR code and transmits a device ID and other decoded information to a service provider. The service provider locates login credentials of the user linked to the device ID and communicates the login credentials to a website server for user authentication. Alternatively, the mobile device may transmit its device ID to the website server for the website server to locate a user account linked to the device ID for user login. Alternatively, the mobile device may transmit stored login credentials to the website server. Advantageously, a user may access a website without the need to provide any login credentials.


3. SQRL Project

SQRL or Secure, Quick, Reliable Login (pronounced "squirrel" /ˈskwɝl/ About this sound en (help·info)) (formerly Secure QR Login) is a draft open standard for secure website login and authentication. The software solution typically uses a QR code, which provides authentication, where a user identifies anonymously rather than providing a user ID and password. This method is thought to be impervious to a brute force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of Authentication protocol, without revealing any information about the transaction to a third party.


What is QRLJacking Attack?

QRLJacking or Quick Response code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts, In a simple way, It’s all about convincing the victim to scan the attacker’s QR code.


QRLJacking Attack Flow

Here’s how the QRLJacking attack works behind the scenes:

1. The attacker initial a client side QR session and clone the Login QR Code into a phishing website. “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim.”

2. The Attacker Sends the phishing page to the victim. (a lot of efficient attack vectors are going to be clarified later in the paper)

3. The Victim Scans the QR Code with a Specific Targeted Mobile App.

4. The Attacker gains controls over the victim’s Account.

5. The service is exchanging all the victim’s data with the attacker’s session.

File:Https://raw.githubusercontent.com/OWASP/QRLJacking/master/blob/images/AttackFlow.JPG


QRLJacking Implications

1. Accounts Hijacking

QRLJacking attack gives attackers the ability to apply a full account hijacking scenario on the vulnerable Login with QR Code feature resulting in accounts stealing and reputation affection.

2. Information Disclosure

When the victim scans the QR code he is giving the attacker much more information like for example (his accurate current GPS location, Device type, IMEI, SIM Card Information and any other sensitive information that the client application presents at the login process)

3. Callback Data Manipulation

When the attacker receives the data which we clarified in the “Information Disclosure” point, Some of this data is used to communicate with the service servers to clarify some information about the user which can be used later in the user’s application. Unfortunately sometimes this data is exchanged over insecure network connection which makes it easy for this data to be controlled by the attacker giving him the ability to alter or even remove it.


QRLJacking Requirements

As mentioned before one of the attack’s advantages relays in it’s simplicity, So all what the attackers need to do to initial a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones that is displayed in the phishing website they created because as we know a well implemented QR Login process should have an expiration interval for the QR codes (during our tests some services doesn’t have that).

So all what we need here is: Attacker (Script kiddie as a minimum required skills) + QR Code Refreshing Script (on the attacker side) + well crafted phishing web page/script and a Victim.


QRLJacking and Advanced Real Life Attack Vectors

As we all know, If we combined more than one attack vector together we can have a great result. QRLJacking attack can be combined with a powerful attack vectors and techniques to make it more reliable and trustworthy. Here are some examples:

1. Social Engineering techniques (Targeted Attacks)

A skilled social engineer attacker will find this mission easy to convince the victim to scan the QR Code by cloning the whole web application login page with an exact one but with his own attacker side QR Code.

2. Highly Trusted Hacked Websites

Hacked websites are prone to be injected with a script that displays an Ad or a newly added section displays a cool offer if the user scanned this QR Code with a specific targeted mobile application his account will be hijacked.

3. SSL Stripping

SSL Stripping is an attack which is all about strip the ssl website and force it to work on a non secured version. Web sites without “HSTS Policy” enabled are prone to be stripped which gives the attacker multiple choices to manipulate the content of the website pages by for example, “altering the QR Code login sections”.

4. Content Delivery Networks (CDNs Downgrading)

A well implemented Login by QR Code feature uses a base64 QR code image generated and well placed in a secured page which will make it very difficult to be manipulated if this website is working over HTTPS and forcing HSTS, but unfortunately a lot of web applications and services uses a CDN based QR image generation process. These CDNs itself are sometimes stored on a servers vulnerable to HTTPS Downgrading attacks. Attackers will find a way to downgrade these secure connections, redirect the CDN URLs to his own QR Code, and since the QR Code is an image this will result in a “passive mixed content” hence the browser will not find any problems by viewing it on the web application login page instead of the original one.

5. Non-secure Traffic over LAN

This is the coolest attack vector for attacking the local users which exploits the non secured websites over the Local Area Networks, The attacker here is performing MITM (Man in the Middle Attack) against his local area network, poisoning the traffic on the fly by injecting a JS file on every non secured web page resulting in what is clearly shown in figure(4) below.

6. Bad Implementation / Logic

Bad implementation logic of the QR code logins may result into a more easy accounts takeover scenarios. During our research we found a specific example: A chat app asks you to scan other people’s QR code to add them as friends, until here it's normal and there are no problems, but when it comes to the login process it’s a big problem. Unfortunately, the application implemented the “login by QR code” feature on the same screen that you’re using to add a friend, so imagine that someone cloned his login qr code and told you “Hey, This is my QR Code, scan it to be my friend, you scanned it, Boom” you lost your account.


QRLJacking vs Clickjacking

As known, clickjacking is all about abusing the style of a sensitive web page hiding and covering and manipulating some elements to convince the victim “for example” to change his account’s main email address and password to the attacker’s one, but what if the attacker succeeded in that and after a while he wants to login to the victim’s account and found that this account has 2 Factor Authentication feature enabled!!! Of course the attack is ruined and the whole thing became useless.

QR Login feature was presented to be Single Sign-On and a 2 Factor Authentication layer and because of that reason it is considered the final defense line that give the users both security and usability. “Scan me to login” it’s so easy, secure and efficient way to login on a daily basis. QRLJacking is here to mess that usability and security implementation.

It’s obvious now why is QRLJacking attack is more severe than a regular Clickjacking one.


Defending against QRLJacking (Recommendations and Mitigations)

One of the techniques to mitigate this kind of attack [And maintain the same usability level as to not require any additional interaction from the user other than scanning the QR ] is to added sound-based authentication step to the process , we have seen this kind of technology where it is possible to generate unique data and convert it to audio that can be recognized back into its original form [SlickLogin and Sound-Proof] so it is possible to include this technology in the process .

The purposes of this added step is to make sure that scanned QR code is generated in the same physical location as the mobile device that is doing the scan and therefore eliminating the possibility or a remote attacker deceiving the user into scanning his qr code.

File:Https://raw.githubusercontent.com/OWASP/QRLJacking/master/blob/images/NormalLoginScenario.JPG


The Attack Scenario (with the mitigation): Attacker visits the website and opens a session.

1. The Website Generates QR Code which holds a session key.

2. Attacker crafts a phishing website with the received QR Code and sends it to the user.

3. User scans the attacker's QR Code in the phishing website.

4. The mobile App generates the authentication sound and play it to the phishing website.

5. The phishing website fails to process and capture the authentication audio as it requires additional browser permissions.

6. Even if the attacker tries to generate the authentication sound based on the (User ID) he still lacks the private key.

File:Https://raw.githubusercontent.com/OWASP/QRLJacking/master/blob/images/AttackerScenario.JPG


For more information on QRLJacking tools and extra, please visit the QRLJacking on Github

References

Mixed Content
Smart Phone Login Using QR Code
Login Using QR Code

Proof of Concept examples (Videos)