QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
Fixed connection listener (function create_listener) logic, typos and exceptions handling.
Added a logic to functions save_profile and load_profile to set adequate permissions on saved/loaded Firefox profiles in order to prevent Selenium from deleting them on session quit.
To prevent TypeError: __init__() should return None, not dict in "browser.py" the "NoBrowser" status is now returned by function new_session instead of the constructor. Code in "module.py" is adapted to this new logic
Fixed some typos
Changes working on the following system and Geckodriver 0.33:
kali@kali:~/Downloads/QRLJacking/QRLJacker$ uname -a && python --version
Linux kali 6.1.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.12-1kali2 (2023-02-23) x86_64 GNU/Linux
Python 3.11.2
Tested using the Whatsapp grabber module.
Partially tested on MacOS:
On my system, Firefox is loading the Whatsapp Web page but not the QRCode (this results in a corrupted image on the phishing page): probably i miss the hardware acceleration for this task.
At the moment i don't have the possibiliy to use a real Macintosh.
Fixes list:
create_listener
) logic, typos and exceptions handling.save_profile
andload_profile
to set adequate permissions on saved/loaded Firefox profiles in order to prevent Selenium from deleting them on session quit.find_elements_by_xpath
removed from Selenium (see https://github.com/SeleniumHQ/selenium/blob/a4995e2c096239b42c373f26498a6c9bb4f2b3e7/py/CHANGES): now using.find_element
(see https://selenium-python.readthedocs.io/locating-elements.html)TypeError: __init__() should return None, not dict
in "browser.py" the "NoBrowser" status is now returned by functionnew_session
instead of the constructor. Code in "module.py" is adapted to this new logicChanges working on the following system and Geckodriver 0.33:
Tested using the Whatsapp grabber module.
Partially tested on MacOS:
On my system, Firefox is loading the Whatsapp Web page but not the QRCode (this results in a corrupted image on the phishing page): probably i miss the hardware acceleration for this task.
At the moment i don't have the possibiliy to use a real Macintosh.