Just because of QQ login to the QR code, a large-scale social death occurred on the entire network…

Welcome to the WeChat subscription number of “Sina Technology”: techsina

Source: bad review (ID: chaping321)

When I woke up, I found that my QQ had sent a bunch of yellow pictures to my parents, classmates, and even secret crushes, so that they were reported, blocked, and hung up on QQ space. Such a social death scene may be the result of many people yesterday. The despair I was experiencing in the morning.

What’s more serious, I have to take a picture with my ID card in the case of innocence, write a review letter, and tell Tencent: “I will no longer dare to post color pictures in a group to steal my account, please return the account to me. .”

Even Xuetong, who died a while ago because of an information leak, was pulled out and flogged for a round of corpses, and died once again.

It may be that everyone’s speculation is getting more and more outrageous, and some people even suspect that the penguin is guarding and stealing.

The main reason is “scanning the fake game login QR code to authorize the login”.

According to the revelations of online netizens, most of the stolen netizens have had the experience of logging into QQ-related QR code accounts in Internet cafes.

No, sir, people used to say not to enter account passwords in Internet cafes, because it is easy to be recorded.

But now you tell me that the safest scanning QR code will also be stolen, I will really thank you. . .

This. . Can I still happily log into my account in an unfamiliar place? What about trust between people?

Hey, don’t say anything. Let’s study the principle of this QR code trick.

Open the software, scan the QR code with the mobile app, and click OK to log in. Is this process very simple?

But in fact, there are two layers of authentication involved.

When you scan the QR code, it is equivalent to telling the server: who I am; and after clicking confirm, you are confirming with the server that I am really me.

For the sake of safety, if any one of these two steps is delayed for too long, the system will determine that you are cheating it, making the QR code invalid, and you have to re-authenticate yourself to complete the login.

Real-time coverage of your computer’s QR code. . .

Then you think you are scanning the QR code for logging in on the computer of the Internet cafe, but in fact you are scanning the QR code for logging in on the hacker’s computer.

Did you find it? There is a time difference in the middle, as long as the hacker sends your QR code to you before the login QR code fails, and you don’t look carefully after scanning it, you just click to confirm.

A wave of streaking directly on the hacker’s computer ▼

Some netizens analyzed that the QR code you logged in may be the login QR code of your QQ watch, not the computer QQ.

The history of stolen blood and tears of a Zhihu programmer ▼

Because the QQ watch can be online in parallel with the computer terminal and the mobile terminal, once the hacker logs in to your QQ watch, it can be more convenient for the hacker to control for a long time.

In this interface, there is no warning to log in to the new device, only a prompt to log in to the QQ watch appears at the top, which is really easy to ignore.

Once you click to allow login, the other party can do whatever they want on the QQ watch with your number.

QQ watch interface after login ▼

Of course, QQ also provides you with a lot of account protection tools, such as device locks, face recognition, and more.

However, some netizens reported that even if all functions were turned on, the account was still stolen.

What we can do may be to pray that QQ’s risk control will be done well, we can only be more careful, be careful of all kinds of pits, and keep our “innocence”.

In fact, before Tencent’s reply this time, netizens also had a lot of speculation. Among them, the recognition degree is relatively high, which is a very classic link stealing operation.

This operation may have been hit by many bad friends. It actually exploits a vulnerability called CSRF (Cross Site Request Forgery).

In short, this attack will not let you enter sensitive information, nor will you directly obtain your account password, but after you click on the link, the attacker can imitate your cookie and make the platform think he is you.

Basically anything you can do after logging in, an attacker can do.

It’s just that in 2018, big companies such as Google and Ali began to solve it. Now this operation is almost the tears of the times.

From the initial recording of the user’s keyboard input, to the insertion of plug-ins, OEMs, and stealth Trojans. There is always a time when you will accidentally get caught.

Some netizens once said that the number one way to prevent QQ from being stolen is to scan the QR code, and everyone has seen the result.

Indeed, QQ login is not as anti-human as WeChat. When logging in on a new mobile phone, you need mobile phone verification codes, QR codes, message reminders, and various roadblocks.

While we enjoy the convenience of QR code login, hackers also enjoy the same treatment.

In particular, everyone has no awareness of being careful about QR code login. Many people don’t read the content of the login confirmation page, and just click to confirm.

Today’s hackers, after logging into your account, are no longer thinking of taking QQ as their own as before.

Instead, they specifically use the time before the account is frozen to mass-spend advertising fraud information for phishing.

And they do this with extremely low criminal cost and don’t need to know your password at all!

So don’t log in to your account in an unfamiliar place, it seems to be the ultimate secret method to cut off all theft.

Finally, for those poor friends who want to unblock, if they are not particularly anxious, the poor reviewer thinks that they can wait for a wave of official unblocking, at least to avoid the second social death of holding ID cards and taking pictures.

Written by: Firefly Editor: Enchantment & Noodle Cover: Xuan Xuan

Pictures, sources:

Weibo @ Tencent QQ@tophao 灲灬 @ Dream Chaser Li Xiaocha @kkura’s little fairy @EpKong@blackorbird@ Qin Bu Gong @AlpacaKun

Station B controls Security Academy: QQ Login Mechanism – New QR Code Fishing

Know-Snowfalke: A simple understanding of CSRF


(Disclaimer: This article only represents the author’s point of view and does not represent the position of Sina.com.)

This article is reproduced from: http://finance.sina.com.cn/tech/csj/2022-06-29/doc-imizirav1070948.shtml
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment