QRLJacking – A New Social Engineering Attack Vector to Access Victim's WhatsApp Account
Documentation: OWASP QRLJacking WikiWhat is QRLJacking?
QRLJacking (Quick Response Code Login Jacking) is a social engineering attack vector that targets services using "Login with QR code" as authentication.
In simple terms: The victim scans the attacker’s QR code, leading to session hijacking.
---
Exploitation: Attacker's Client Side Setup
Tool: QRLJacker – QRLJacking Exploitation Framework- Highly customizable exploitation framework.
- Demonstrates how easy it is to hijack QR Code–based login systems.
- Designed to raise awareness of the risks of QR Code authentication.
Demo Video: WhatsApp Web MITM Attack Demo
YouTube Tutorial: Installing & Running QRLJacker---
Prerequisites
- Linux or macOS (Not supported on Windows)
- Python 3.7+
- Latest Firefox browser
- Latest Geckodriver
Code:
chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver---
Installation Steps
Code:
git clone https://github.com/OWASP/QRLJacking
cd QRLJacking/QRLJacker
pip install -r requirements.txt
python3 QrlJacker.py --help---
Tested On
- Ubuntu 18.04 (Bionic Beaver)
- Kali Linux 2018.x and above
---
Core Features
- Autocomplete commands & typo correction
- Search modules by name, description, or author
- Resource file automation
- Session & job management
- Development & debug modes
---
Last edited: