Do you use WhatsApp Web on free Wi-Fi networks – from malls or public – and do not care about the login process? There’s something to worry about, believe me: the hack of WhatsApp. Known as QRLJacking, look at any application that uses QR Code as a login form. In particular, WhatsApp. Once “hijacked”, the attacker has access to everything: contacts, photos and WhatsApp chats as if it were you.
Anyone who has used WhatsApp on their computer knows that the process is simple: just go to the “WhatsApp Web” option and scan a QR Code (or Quick Response Code) on the page that gives access to the web messenger ( web.whatsapp.com ); login done.
ESET researcher Daniel Barbosa says it is possible to do additional validations so that the QR code can be used more safely. Most of the time, however, manufacturers opt for new features, but they leave security aside.
How does QRLJacking
The hijacking of the QR Code becomes possible because it is relatively easy to take advantage of this facility (which is not a flaw, but a legitimate feature of the application) to persuade the victims to scan the wrong QR Code. In most cases, this is a poorly made copy, which looks nothing like the right WhatsApp Web page.
What worries is that the tool created to generate the false QR Code can be adapted to the needs of each attacker. The platform opens a standard page for example only, but the source code is available for modification, and it accepts HTML codes, scripts and several other features for web development.
“Imagine that the attacker takes the time to mount something more convincing, like an advertising banner, which offers a year of some absolutely free service, and that this advertisement appears when the victim navigates through various sites, it seems much more convincing, does not it?” He asks. The attacker convinces the user that that is the correct page. Invading the network, using banners, manipulating the default browser and so on.
How WhatsApp uses QR Code
QR Code is an image. This image, after being interpreted by the QR Code reader, generates a set of codes. In the case of WhatsApp, the application uses the code to validate users’ access to their Web/Desktop system without further validation.
How WhatsApp Theft Occurs
Criminals have developed tools that capture and store the QR code generated by WhatsApp, and create a new QR Code to be displayed to the victim.
“With the naked eye it is not possible to differentiate the original code from the code forged by the attackers. After that, the victim’s session is stored on the criminal’s computer and he can use it as he sees fit, without causing any interruption in the use of the application on the victim’s smartphone”, he explains.
How to break down unsolicited access on WhatsApp Web
Just behave safely and stay alert. In the hurry, even trained users can fall into social engineering blows. It happens to everyone.
1. Know the application you are using
In the case of WhatsApp and other messengers, the QR code only serves to access the WhatsApp Web. If any banner asking for a QR code to be scanned for any benefit to be given, do not believe it. Also know details of the visual, colors, exact URL and how the real login page is, so as not to be fooled.
2. Avoid pubic or unreliable networks
Attacks like these happen when the criminal is in the same network as the victims. Avoid features that require login or manipulate personal data on an insecure network.
3. Be aware of your navigation
Even in networks that we believe to be safe, such as in the workplace, there may be risks. Stay alert and watch the pages you are accessing.
4. QRLJacking and Sign Out Signals
Attacks of this type, in which there is use of fake QR Code, do not usually offer any kind of feedback to the user. That is, if you scan a code and nothing happens (not what was promised), it is probably an attack. Run on the main WhatsApp application screen, go to WhatsApp Web, and quit all sessions that started on computers. This will make criminals lose access.
5. Keep everything updated
The wary died of old age. Using an Android antivirus on your phone and computer can help block malicious threats, malicious URLs from QR Codes, and malicious behavior in the operating system. Also make constant updating of all software and applications, this corrects any security problems.