Wednesday, 22 January 2025
24.6 C
Singapore
21.7 C
Thailand
20 C
Indonesia
25.9 C
Philippines

QR codes could bypass browser security tool: Here’s how

Learn how QR codes could bypass browser isolation security, allowing malware communication despite sandboxing. Find out the risks and limits.

Cybersecurity experts have uncovered a surprising new method to bypass an essential browser security feature, even when advanced measures protect the browser. Researchers at Mandiant have demonstrated how QR codes can be exploited to enable malware to communicate with its command-and-control (C2) servers, even when a browser operates in an isolated or sandboxed environment.

What is browser isolation?

Browser isolation is a modern cybersecurity method that safeguards users from web-borne threats. Instead of allowing code and scripts to execute directly on your device, your browser communicates with a remote browser located in a cloud environment or virtual machine. You only receive a visual representation of the web page while all code and commands are processed on the remote system.

This approach effectively creates a barrier between your device and malicious websites, functioning like browsing through the lens of a camera. While this has been a significant step in preventing cyberattacks, the new findings suggest that even this advanced method is not foolproof.

The loophole: How QR codes play a role

Mandiant researchers have discovered a way for C2 servers to interact with malware on an infected device, even when browser isolation is active. The key lies in QR codes. When malware is present on a device, it can analyse the pixels rendered on the screen. If these pixels form a QR code, the malware can decode and use the information to execute further actions.

Mandiant demonstrated this vulnerability using the latest version of Google Chrome to prove the concept. They employed Cobalt Strike’s External C2 feature, a popular penetration testing tool, to showcase how the malware could receive instructions via QR codes.

Limitations of this method

Despite its potential, this technique has significant limitations. QR codes can only transmit a small amount of data—up to 2,189 bytes. Additionally, the process suffers from a latency of about five seconds, making it unsuitable for transmitting large payloads or supporting complex actions like SOCKS proxying.

Further security measures, such as URL scanning or data loss prevention systems, could render this method ineffective. These tools can detect unusual activity or block QR code data streams before damage is done.

While this method may seem impractical for large-scale attacks, it could still be used in targeted, destructive malware campaigns. As a result, IT teams are being urged to remain vigilant. Special attention should be given to monitoring the flow of traffic, especially from headless browsers operating in automation mode, which attackers commonly use to exploit vulnerabilities.

This discovery underscores the evolving nature of cyber threats and highlights the need for continuous advancements in security measures.

Hot this week

Genshin Impact developer settles FTC charges with US$20 million fine

Genshin Impact developer Cognosphere agrees to pay a US$20 million fine and implement changes to in-game purchases following FTC charges.

Square Enix announces PC specs for Final Fantasy VII: Rebirth

Square Enix reveals PC specs for Final Fantasy VII: Rebirth, offering tailored settings from basic 1080p to 4K visuals with NVIDIA RTX 50 upgrades.

Apple iPhone SE 4 dummy units reveal updated design and lack of Touch ID

Discover the new design and features of Apple’s iPhone SE 4, expected to launch in March 2025 with a starting price of around US$499.

Beyond TikTok: How Xiaohongshu (RedNote) is shaping social media trends in the post-ban era

Discover how Xiaohongshu is transforming social media trends after the TikTok ban, creating new opportunities for users, creators, and marketers worldwide.

Apple set to launch iPhone SE 4 with Dynamic Island and iPad Air featuring M3 chip

The iPhone SE 4 with Dynamic Island and iPad Air with M3 chip are expected to launch soon. They will offer modern design and performance upgrades.

Apple set to launch iPhone SE 4 with Dynamic Island and iPad Air featuring M3 chip

The iPhone SE 4 with Dynamic Island and iPad Air with M3 chip are expected to launch soon. They will offer modern design and performance upgrades.

President Trump signs executive order delaying TikTok ban for 75 days

Trump delayed the TikTok ban with a 75-day executive order, allowing time to address national security concerns and find a resolution.

President Trump repeals Biden’s AI executive order on first day in office

President Trump repeals Biden's 2023 AI executive order on day one, sparking debate over AI regulation, innovation, and national security risks.

RedNote, Flip, Clapper, and Likee dominate app charts as TikTok returns online

TikTok’s brief ban boosted rivals RedNote, Flip, Clapper, and Likee, which are now leading U.S. app charts and reshaping video-sharing app trends.