Have you ever used WhatsApp web? The sheer convenience of using Whatsapp in a desktop is something a lot of people will vouch for.
For those of you who don’t know, WhatsApp web is a web app that lets you use WhatsApp in a desktop browser simply by scanning a QR code from within WhatsApp.
But have you ever thought about how secure this is? I mean sure WhatsApp has all the end to end encryption and other security features but this is a different game.
Enter QRLJacking (Quick Response Code Login Jacking). Using this method, an attacker can easily intercept your WhatsApp Web traffic and can have full access to your WhatsApp.
What is QRLJacking?
QRLJacking is a process in which an attacker creates a fake QR code which, once scanned, can allow the attacker to intercept all Whatsapp traffic for that session.
The way this works is pretty simple. There are a number of tools online using which anyone can create such QR codes in a matter of minutes.
The most common perhaps is the QRLJacking tool by the OWASP Foundation. This tool is openly hosted on GitHub.
This tool allows the user to generate a malicious QR code in just a few clicks. There are a number of tutorials on YouTube that demonstrate the process.
After the QR Code is generated, the next step is for the victim to scan it. The attacker has to use any social engineering tactics they can to trick the victim into scanning the malicious QR Code.
Once scanned, the attacker has complete access to the victim’s WhatsApp Web just as the victim would have. They can do anything they like. Read the victim’s messages, check their WhatsApp media, chats and so on.
Preventions against QRLJacking
To be honest, once you scan the infected QR Code, there isn’t much you can do. The best course of action would be to log out of all active WhatsApp Web sessions immediately.
You should be really careful when scanning QR Codes in general. Scanning the wrong code can get you in trouble real quick.
As for QRLJacking, only scan the QR Code on the official WhatsApp Web website. Do not scan any random codes from strangers or even friends.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.