QRL jacking Complete guide by Blackhat Pakistan 2023
Quick Response Code Login Jacking (also known as QRL Jacking) is a social engineering attack that allows an attacker to hijack a session and affect all applications that depend on the “QR Code Login” feature as a secure way to log in to their respective accounts. . Simply put, the attacker’s QR code is scanned by the victim, resulting in session hijacking.
For example: using QRL Jacking, an attacker can create a phishing QR code page of the WhatsApp website. When the victim scans this QR code from their device, the generated authentication token is then sent to the attacker’s server. The attacker then verifies the authentication token from the WhatsApp website; then he can see the victim’s messages.

How QRL[QRL jacking ] jacking works
- The attacker generates a QR session and clones the login QR code to the phishing site. After that, a well-crafted phishing page with a valid and updated QR code is ready to be sent to the victim.
- Then, the attacker uses his social engineering skills to send a phishing page to the victim.
- The victim scans the QR code with a specific device.
- The attacker gains control of the victim’s account.
- The victim’s data is exchanged with the attacker’s session.
Installation
In Windows
After downloading the framework and Python:
- cd QrlJacking-Framework
- pip install -r requirements.txt
- python .py
Also Read :Contemporary UEFI Bootkits by Blackhat Pakistan 2023
On Ubuntu or Kali Linux
- git clone https://github.com/OWASP/QRLJacking
- cd QrlJacking-Framework
- pip install -r requirements.txt
- python .py
On OSX
- git clone https://github.com/OWASP/QRLJacking
- cd Qrl Jacking-Framework
- sudo easy_install pip
- sudo pip install -r requirements.txt
- python .py
Requirements to achieve successful QRL jacking
QRL Jacking consists of two sides:
- Server Side: A server-side script is required to handle and shape the final appearance of the victim.
- Client side: Cloning the QR code and pasting it on the phishing page.
QRL-jacking WhatsApp
Let’s take an example from one of the most popular applications today: WhatsApp.
We all know that WhatsApp uses end-to-end encryption, but it can still be hacked using this attack method. Let’s see how an attacker can gain access to a target’s WhatsApp account:
STEP 1
Install the QRL-jacking tool on your Kali machine (you can use Github to clone it) as shown below:

STEP 2
Once the download is complete, you will now need to install the QRL-jacking tool. As you can see in the image below, navigate to the directory where it was downloaded. You will need to do two things:
Install requirements.txt using pip install (if it is not installed on your machine, install it using apt-get install pip).
You will need to grant permissions to the Python executable located in the framework directory (use the command “chmod 777 ‘Filename’ “).

NOTE: If you don’t use the –r switch, you may get an error, so make sure you use it during installation.
STEP 3
Here comes the interesting part. Once you have downloaded and installed the QRL jacker, run the .py file in the framework directory. Below is the result you get after running it. As you can see, not only WhatsApp but also other web applications are vulnerable to QRL jacking – applications like postal services, passport services and online banking.
Since we are using the example of WhatsApp, which is a chat application, we will enter 1 as our choice.

STEP 4
When you enter 1, you will see a list that contains three chat apps. We’ll enter 1 again as our choice since we’re using the WhatsApp example here.
We will then need to enter a port number to listen on our server. You can enter any port number here, but 1337 is the default listening port, so we will enter the same.

STEP 5
Once you enter the listening port number, you’ll see a web page open in your browser containing a QR code. This is where the social engineering part comes in: you have to lure the victim through email or whatever service you choose. Once the victim scans this QR code, you will get the victim’s WhatsApp chat window in the browser itself.
One more thing: you can see below the image there is an option to stay logged in. You can also use this for a permanent connection.

Sources
QRL Jacking, OWASP