"Security-phobia is a good and healthy thing" - Interview with Mohamed A. Baset, creator of QRLJacking

Hello folks,

In our previous post you had a chance to read a brief description about QRLJacking – A new Social Engineering Attack Vector. Now we present you an interview with its creator. Dive in and learn how Mohamed and his team found a flaw in Secure Quick Response Login.

[Hakin9 Magazine]: Dear Mohamed, first of all, it is a pleasure to talk with you. Could you please introduce yourself to our readers?

[Mohamed A. Baset]: Hi, thanks a lot for having me here, I’m Mohamed Abdelbasset Elnouby, I’m a 28 year old Information Security maniac with 14 years of experience in Information Security field, specifically Application Security. I used to work as a Mobile and Web Application penetration tester remotely and onsite, helping a lot of major companies to protect their business and web applications. I’m working now as a Senior Information Security Analyst at Linio, which is the biggest ea-commerce company in Latin America. Also, as an active Bug Bounty program participator, I discovered lots of vulnerabilities differing in severity in lots of big companies, like Facebook, Twitter, Google, Yahoo, Microsoft, Mozilla, Adobe, Sony, Apple, Samsung, Nokia, AT&T, T-Mobile, SoundCloud, Foursquare, WordPress, Sony, Kaspersky, Symantec, F-Secure, Avira, Avast, AVG, Bit-Defender, McAfee, TrendMicro, CNET, Ask.com, BBC, CNN, Freelancer.com, Mediafire and many more, including non-disclosed companies.

[H9]: It looks like you have been involved in many projects. What was your favorite one? Or is there any company you have enjoyed working the most with?

[MB]: Yes, I've been working on many projects during my career in both Security and Web Development fields, but currently the closest project and company to my heart is Seekurity Inc that I've launched with a couple of my friends a year ago. We have a good team that is open to new ideas and challenges. I'm really proud of the stuff we have in Seekurity's kitchen right now; as a teaser, we are working on a solution to prevent Ransomware and other stuff, so stay tuned!  

[H9]: What made you look for a QR code attack? What is it and how was it discovered?

[MB]: First of all, having a hacker mindset, we always like to break things, right? Know how things work, how to break it and make it more secure. I was looking around some web applications that are not using the regular Username and Password and uses other techniques, such as QR code, as an authentication method. Then it came to my mind, the most famous application that uses such a method is “WhatsApp”, then I tried to understand how the authentication works and how a non-regular authentication method could be attacked!

[H9]: Do people really use QR codes? I thought it was not that popular. And how common are attacks?

[MB]: Since Google announced "Login using QR Code" in 2013, it has been becoming popular outside the automotive industry due to its fast readability and greater storage capacity compared to standard UPC barcodes. Applications include product tracking, item identification, time tracking, document management, and general marketing.

[H9]: Can you introduce QRLJacking to our readers?

[MB]: QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a simple way, when a victim scans the attacker’s QR code, it results in session hijacking. QRLJacking attack is now on the OWASP official website as an attack vector along with the other Web Application known attack types and you can learn more about it. The attack itself is not a brand-new thing but we did our best to bring it to light to raise personal security awareness against such attacks.

[H9]: I read that the whole team worked on this project, can you tell us a little about them?

[MB]: Yes, of course, this is completely teamwork; we worked together on different modules like the QRLJacker framework, documentation, attack mitigation, attack vectors, etc.… Aty helped in the mitigation research, Elsobky in reviewing the documentation and enriching the discussion about some differences between similar attacks, Kasem helped by making real life attack vectors, Shawky helped in testing and implementation and, finally, Shoeir contributed by developing the QRLJacker framework, which we used to automate the QRLJacking attack and made it so easy to be exploited. Alaa was a case scenario tester, Alfateh, Abbas and Juan helped in reaching the OWASP team to send them the details and revising the paper's grammar and Hiram helped by making a great presentation for QRLJacking and its framework to be presented by anyone.

[H9]: Did the team come together for this project or did you all work together previously?

[MB]: Well, most of the team members are really close friends of mine that I've worked with before or at least got to see them working on something. However, I am really proud that after we launched our repository on Github, a lot of Arabs from the security field contributed to make this attack more perfect and better documented.

[H9]: Are there any new attack vectors that we need to be worried about in regards to QRLJacking? Or do we simply add QR codes to the list of things that could potentially be dangerous and need to be verified, like links and email attachments?

[MB]: QRLJacking is one of many social engineering attacks that ask victims to do actions, like “Scan this QR”, “Enter your personal data”, etc., so it’s all about personal security awareness. Sometimes people know more about the risk of a specific thing and know less about the others. My advice is to check everything around you, your incoming messages, attachments, suspicious messages and take care more about social media because it’s the real danger now. Your personal security is something important even if you don’t have anything to lose. Having this security-phobia is something healthy for sure.

[H9]: At some point, you have to start sacrificing convenience for security though, and most people are not willing to do that - is there an escape from that?

[MB]: All security researchers understand the conflict between usability, user convenience and security. What's so difficult, as mentioned in your question, is delivering this idea to the user. The user wants to have the best features and he has nothing to do with how those features are secured or if they even work. It's really hard to find a solid solution for such a problem, but to reach the best results, I think we need to put more effort into spreading awareness and also work more on teaching developers how to work along with security researchers and the same thing between security researchers and UX Developers.

[H9]: What do you think is the best thing to do to make people more aware of this threat, along with many others?

[MB]: Spreading the knowledge over the internet, also the personal and corporate security awareness is going to play a vital role in this.

[H9]: What is the biggest challenge your team has to face at the moment?

[MB]: The biggest challenge is the outreach. OWASP helped us a lot by accepting this attack as a new attack technique and listed it on its WIKI, which for me and my team is a great achievement and because of that, lots of popular security blogs started to write about it, which made the attack so popular and known now by a lot of people all over the internet.

[H9]: Those people surely include hackers who will try to use it for malicious purposes, and that cannot be escaped. Apart from raising awareness and avoiding social engineering, has there been any progress with other detection and mitigation techniques?

[MB]: Most attacks that are based on social engineering techniques are very difficult to handle from the application side. Therefore, I've been working with my team members to find a mitigation to make it as hard as possible to be exploited since the day I discovered this technique.

[H9]: Any plans for the future?

[MB]: Sure, we are doing some slides about the attack vector itself and we are willing to present it in one of the biggest security events (OWASP AppSec, Defcon, Blackhat, etc.), but for now we don’t have that much time since I’m a full-time employee and the whole team are undergrads but we are doing our best to raise the danger of such attacks.

[H9]: If someone among your readers was interested in this and wanted to check it out, or possible contact you, can they do that? How?

[MB]: Sure thing, Here’s my contact details:

[email protected]
or
[email protected]

Also, anyone is welcome to do a contribution to the attack vector itself, the exploitation framework, attack vector, mitigation technique, or the documentation. Here’s our GitHub repository https://www.github.com/OWASP/QRLJacking

[H9]: Do you have any thoughts or experiences you would like to share with our audience? Any good advice?

[MB]: First I would like to thank you again for all of this and yes there’s a lot of advice:

- Do not open any kind of links you don’t know.

- Make sure to check the shortened links in a different browser session (Firefox Private or Chrome Incognito) because sometimes these links contain zero days vulnerabilities, phishing attacks, etc.

- The browser’s address bar is the most important thing regarding validating phishing attacks; please pay more attention to the domains, sub domains and the top level domains and make sure that you are in the right place.

- Do not scan a QR code that is introduced to you by a non-trusted website even if it looks like a legitimate website.

- Security-phobia is a good and healthy thing.

Mohamed A. Baset:

An Information Security avenger with 14 years of experience, Founder of Seekurity firm, someone who is breaking things to make it safer, helped tons of companies onsite and remote to protect their customers and Facebook Top 10 Whitehat for 2016

QRLJacking – A new Social Engineering Attack Vector:

OWASP official attack page as an attack vector
https://www.owasp.org/index.php/QRLJacking

The attack's Wiki on OWASP's Github
https://github.com/OWASP/QRLJacking/wiki
https://github.com/OWASP/QRLJacking

Youtube Channel: https://www.youtube.com/channel/UCzCB4SR6exJGiO8zy22IfHw