QR codes have become ubiquitous, offering a convenient way to access websites, download apps, and share information quickly. However, as with any technology, they come with risks, especially when it comes to cybersecurity. One of the emerging threats is the use of QR codes to bypass browser isolation, a security measure designed to protect users from malicious web content.
Understanding Browser Isolation
Browser isolation is a security technology that runs a browser in a secure environment, such as a cloud server or virtual machine, and then streams the visual content to the user’s device. This method ensures that any malicious content is executed in a remote environment, away from the user’s local device. However, attackers have found a way to circumvent this protection using QR codes.
The Attack Vector
Researchers from Mandiant have demonstrated a proof-of-concept (PoC) that shows how attackers can bypass browser isolation using QR codes. The technique involves the following steps:
- Command-and-Control (C2) Communication: Attackers use a C2 server to send commands to a victim’s device. Instead of returning the C2 data in the HTTP request headers or body, the C2 server returns a valid webpage that visually shows a QR code.
- QR Code Rendering: The implant on the victim’s device uses a local headless browser to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data.
- Data Extraction: By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser.
This method allows attackers to bypass three types of browser isolation: remote, on-premises, and local, making it a versatile and potent attack vector.
Top 5 Tips for Staying Secure when Encountering QR Codes
Given the potential risks associated with QR codes, it’s essential to adopt best practices to stay secure. Here are the top five tips:
- Verify the Source: Always check the legitimacy of the QR code before scanning it. Look for distinctive markers indicating the brand responsible for the QR code, such as brand colours and company logos
- Check the URL: When you point your phone’s camera at a QR code, you get a preview of the URL. If it’s a short link or something unrecognisable, proceed with caution
- Improve Mobile Security: Ensure your mobile device has up-to-date security software to protect against malicious downloads and phishing attacks
- Avoid Giving Out Sensitive Information: Be cautious about entering personal or financial information after scanning a QR code. Legitimate services will not ask for sensitive information through a QR code
- Use Reputable QR Code Generators: If you need to create QR codes, use reputable QR code generators to avoid embedding malicious content inadvertently
By following these tips, you can significantly reduce the risk of falling victim to QR code-based attacks and ensure your digital interactions remain secure.
Stay safe and vigilant! Watch our Cyber Security Awareness Training to learn how you can train yourself and watch our 2025 Sophos Security Webinar.