Skip to content

QRLJacking: How scanning a wrong QR Code can compromise your WhatsApp

  • by
  • 3 min read

Have you ever used WhatsApp web? The sheer convenience of using Whatsapp in a desktop is something a lot of people will vouch for.

For those of you who don’t know, WhatsApp web is a web app that lets you use WhatsApp in a desktop browser simply by scanning a QR code from within WhatsApp.

But have you ever thought about how secure this is? I mean sure WhatsApp has all the end to end encryption and other security features but this is a different game.

Enter QRLJacking (Quick Response Code Login Jacking). Using this method, an attacker can easily intercept your WhatsApp Web traffic and can have full access to your WhatsApp.

Also read: 7 Whatsapp alternatives that respect your privacy and security

What is QRLJacking?

QRLJacking is a process in which an attacker creates a fake QR code which, once scanned, can allow the attacker to intercept all Whatsapp traffic for that session.

The way this works is pretty simple. There are a number of tools online using which anyone can create such QR codes in a matter of minutes.

The most common perhaps is the QRLJacking tool by the OWASP Foundation. This tool is openly hosted on GitHub.

You can find the ORLJacking tool by the OWASP Foundation here.

QRLJacking: How scanning a wrong QR Code can compromise WhatsApp

This tool allows the user to generate a malicious QR code in just a few clicks. There are a number of tutorials on YouTube that demonstrate the process.

After the QR Code is generated, the next step is for the victim to scan it. The attacker has to use any social engineering tactics they can to trick the victim into scanning the malicious QR Code.

Once scanned, the attacker has complete access to the victim’s WhatsApp Web just as the victim would have. They can do anything they like. Read the victim’s messages, check their WhatsApp media, chats and so on.

Preventions against QRLJacking

To be honest, once you scan the infected QR Code, there isn’t much you can do. The best course of action would be to log out of all active WhatsApp Web sessions immediately.

You should be really careful when scanning QR Codes in general. Scanning the wrong code can get you in trouble real quick.

As for QRLJacking, only scan the QR Code on the official WhatsApp Web website. Do not scan any random codes from strangers or even friends.

Also read: Psychology of online advertising: How companies persuade you to shop

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: