It is currently 22-08-2017 10:18

Researchers have discovered a method of bypassing normal authentication via QR code

Researchers have discovered a method of bypassing normal authentication via QR code

by sigismund » 2016-08-01 13:07:59


All that is needed is to convince the victim of the need to scan a QR code.


Security researcher from Seekurity Inc. demonstrated how to compromise user accounts of services that implement authentication using a QR code. A new technique, the expert called QRLJacking.

Many sites and applications use a draft open standard for secure log on to a web site and authenticate. This system is based on the QR code allows the user to log in to your account without entering a username and password. Resources to support this system displays on the page the QR code, scanning which users reach your account.

This type of authentication is considered to be very safe, however, experts from Seekurity Inc. failed to demonstrate its shortcomings. All that is necessary for the attacker for a successful attack is to convince the victim of the need to scan a QR code.

The attacker initialisere client QR the session and copies the "input QR code" on the phishing page. Then the attacker sends the page to the victim. If the user scans the code using a specific mobile application, the app sends the secret token to complete the authentication process. As a result, the attacker gains full control over the account of the victim.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5