I’m presently engaged on a private challenge to facilitate the connection of customers to a non-public interface utilizing a cell software and a QR Code.
- Customers obtain an software and log in with a username and password.
- Customers then connect with an internet interface with a QR code.
- When customers scan the QR code with their cell, the online service permits every consumer to entry his personal interface.
In my analysis, I got here throughout the QRLjacking exploit permitting a hacker to log in together with his QR code.
What methods might be carried out to drastically cut back the chance of hacking?
To date, I’ve considered a number of methods however they aren’t very best:
- Requesting to scan a second QR code as soon as the primary has been scanned (thus requiring the hacker to have entry to the second QR code).
- Restrict the validity of the QR code to 15 seconds (thus requiring the hacker to behave in a short time)
- Require the consumer to attach their telephone to the identical community and embrace the IP handle within the QR code.