I am currently working on a personal project to facilitate the connection of users to a private interface using a mobile application and a QR Code.
- Users download an application and log in with a username and password.
- Users then connect to a web interface with a QR code.
- When users scan the QR code with their mobile, the web service allows each user to access his private interface.
In my research, I came across the QRLjacking exploit allowing a hacker to log in with his QR code.
What techniques could be implemented to drastically reduce the risk of hacking?
So far, I have thought of several ways but they are not ideal:
- Requesting to scan a second QR code once the first has been scanned (thus requiring the hacker to have access to the second QR code).
- Limit the validity of the QR code to 15 seconds (thus requiring the hacker to act very quickly)
- Require the user to connect their phone to the same network and include the IP address in the QR code.