About QRLjacker
QRLJacking, also known as Quick Response Code Login Jacking, is indeed a social engineering attack vector that targets applications utilizing the "Login with QR code" feature as a means of secure login. The attack works as follows: The attacker generates a malicious QR code that appears legitimate and convinces the victim to scan it using their mobile device. This QR code is designed to redirect the victim's session token or login credentials to the attacker's device. By doing so, the attacker gains unauthorized access to the victim's account. The success of QRLJacking relies heavily on the trust placed in QR codes as a secure login method. Users often assume that scanning a QR code is a safe and convenient way to access their accounts. However, attackers exploit this trust to deceive users and gain access to their sensitive information.
Features of My QRLJacker
The QRLjacker has following features:
1. Comes with pre defined advanced social engineering templates of Whatsapp Aero and Whatsapp Gold.
2. Has Admin dashboard to control the sessions and create links.
3. Process is completely automated using python.
4. Uses ngrok for portforwarding but also can be deployed on a server.
5. Since Whatsapp updates the qr code in certain intervals hence the tool is optimised to detect change of qr codes and update the qr code on engineering webpage.
6. Tool is very polished in comparision to existing qrl jacking solutions.
-
Built with
Python
-
Built with
Bash
-
Deployment Env
Ubuntu / Kali
-
GUI Development
Bootstrap
-
Dependencies
Selenium
Scope of Development
Some of limitations and scope for improvements are :
1. Compatibility: The tool appears to be designed to work with the WhatsApp web interface. It uses the Selenium library and a web driver to interact with the web page. However, it is specifically designed for the Chrome browser using the ChromeDriver executable. It may not work correctly or at all with other browsers or different versions of Chrome.
2. Stability: The code relies on explicit waits (`time.sleep()`) to introduce delays during certain actions. While this can sometimes be necessary, it is not an ideal approach as it introduces fixed delays regardless of the actual state of the web page. It can lead to synchronization issues and may cause the tool to fail if the page takes longer to load or if there are unexpected delays.
3. Fragile XPath and Class Name Selection: The code uses XPath and class name selectors to locate elements on the web page. XPath selectors can be fragile and prone to breaking if the structure of the web page changes. Similarly, relying on specific class names (`_2UwZ_`, `_1y6Yk`, etc.) can lead to issues if the class names are modified in future versions of the web page.
4. Lack of Error Handling: The code does not have comprehensive error handling mechanisms. It relies on exception handling to catch errors but does not provide detailed error messages or handle different failure scenarios gracefully. This can make it challenging to debug and troubleshoot issues.
5. External Dependencies: The code relies on external dependencies such as the `qrcode`, `http`, `subprocess`, `os`, and `webbrowser` libraries. While these libraries can be useful, they may have their own limitations, compatibility issues, or security concerns.