Authors:
Zhang Xin; Zhang Xiaohan; Zhao Bo; Nan Yuhong; Liu Zhichen; Chen Jianzhou; Zhou Huijun; Yang Min
Publication:
This paper is included in proceedings of the 34th USENIX Security Symposium (USENIX Security 2025)
Abstract:
QRcode-based Login (QRLogin) has emerged as a preva lent method for web account authentication, offering a more user-friendly alternative to traditional username and password entry. However, despite its growing popularity, the security of QRLogin has been overlooked. In particular, the lack of standardized QRLogin design and implementation guidelines, coupled with its wide deploymentvariability,raises significant concerns on the real-world deployments of QRLogin.
This paper presents the first systematic study on the secu rity of QRLogin in real-world deployments. We begin our research with real-world studies to understand the deploy ment status of QRLogin and user perceptions of this novel authentication paradigm, which assists us in establishing a realistic threat model. We then proceed with a systematic security analysis by generalizing the typical workflow of QR Login, examining how key variables adhere to common se curity principles, and ultimately exposing 6 potential flaws. Weconduct security analysis on real-world QRLogin deploy ments with a semi-automatic detection pipeline, and reveal surprising results that 47 top websites (43% of tested) are vul nerable to at least one of the above flaws. These design and implementation flaws can lead to 5 types of attacks, including Authorization Hijacking, Double Login, Brute-force Login, Universal Account Takeover, and Privacy Abuse. We have responsibly reported all the identified issues and received 42 vulnerability IDs from official vulnerability repositories. We further provide an auditing tool and suggestions for devel opers and users, contributing a concerted step towards more secure implementations of QRLogin.