QRLJacking new attack vector leads to hack whatsapp

2
288
QRLJacking

This post is about the new attack vector discussed lately , and the researcher will explain the full details and how he could hack whatsapp users as translated from his writing .

A hacker named Mohamed Abd Elbaset has said that , whatsapp provide two methods of connecting , using the mobile app , and their web site at https://web.whatsapp.com , the web version has a complex method of authentication , you do not have to input username or password , you just need to scan q QRCode using your mobile , to login with the web version , this is not Independent way , to communicate , as the mobile must be online , for the web version , if your mobile connection lost , the web version automatically disconnects , so you can use this service if your mobile is about to be out of charge , something like this .

Whatsapp provides heigh security on their service , the enfoce HTTPS so no MITM attacks could be implemented , and the QRCode is valid only for 20 seconds , that means 3 QRCodes every minute .

Here you can read more about whatsapp authentication

https://www.whatsapp.com/faq/en/web/28080003

So what you need to hack a whatsapp account , a vulnerability right !! suppose we do not have a physical access to the victim mobile , the researcher said the exploitation of this technique need some of social engineering  , so the scenario used is :

  • The attacker visit web.whatsapp.com and get a QRCODE , he will mirror it later
  • You need to send a link to the victim , the researcher said if you are both on the same LAN , you do not need to send a link but using ARP poisoning , then inject a malicious content that will convect you to trust this is the real whatsapp and you need to perform a scan to his mirrored QRCode .

 

This video shows how it works in the two sides of the attacker and victim


Fake whatsapp page  owned by the attacker

http://i.imgur.com/1DWtZqW.jpg

This image shows a newspaper website locally poisoned with a malicious  QRCode

 

The attack was submitted to OWASP at https://www.owasp.org/index.php/QRLJacking

 

 

2 COMMENTS

  1. I love this write up, so I will like to share a very good hacker with you readers. When I had infidelity issues, cybertexpert was the hacker that helped me hack my husband’s phone so that I could monitor his cheating activities. He was introduced to me by a friend who had also used him in a similar situation. He has done a couple of other jobs which I know of, so I can confidently tell anyone reading this right now, that he is a very good hacker and can help you with any hacking related issues. Feel free to contact him on [email protected]. I wish you the best.

LEAVE A REPLY

Please enter your comment!
Please enter your name here