Reduce the risk of QRLJacking


I am currently working on a personal project to facilitate the connection of users to a private interface using a mobile application and a QR Code.

Steps:

  1. Users download an application and log in with a username and password.
  2. Users then connect to a web interface with a QR code.
  3. When users scan the QR code with their mobile, the web service allows each user to access his private interface.

In my research, I came across the QRLjacking exploit allowing a hacker to log in with his QR code.

What techniques could be implemented to drastically reduce the risk of hacking?

So far, I have thought of several ways but they are not ideal:

  • Requesting to scan a second QR code once the first has been scanned (thus requiring the hacker to have access to the second QR code).
  • Limit the validity of the QR code to 15 seconds (thus requiring the hacker to act very quickly)
  • Require the user to connect their phone to the same network and include the IP address in the QR code.