On the night of June 26, news that a large number of QQ had been stolen was on the Weibo hot search list. Many people reported that their QQ was sending a large number of illegal pictures uncontrollably.
html On the morning of June 27, Tencent QQ officially issued an announcement. The summary of the
announcement is that "the user scanned the fishing QR code has nothing to do with Tencent ." Is
related to Tencent? Let's analyze it.
Scan the QR code to log in
First look at the QQ scanning login process, which is roughly divided into three stages:
- QR code display stage
- QR code scanning stage
- Login confirmation stage
image-20220629010438425
First go through the login process briefly:
- The user opens QQ on the computer.
- Computer QQ displays a QR code.
- The user picked up the phone and scanned the code.
- Computer QQ displays "Scan code successful, please confirm with QQ mobile version".
- Mobile QQ displays "You are logging into QQ on a new device", allowing the user to choose whether to log in or refuse.
- The user chooses to log in, the computer QQ login is successful, and the entire process ends.
Draw the entire sequence diagram based on the user's behavior:
This QR code login process is widely used in the industry, which is enough to prove its rationality. There are four participants in the
process, namely: user , mobile phone , computer , Tencent QQ server .
Hackers cannot forge the three participants: user, mobile phone, and Tencent QQ server, but they can do it on the computer. This is exactly what happened in this account theft incident. How does
attack? Let's look down.
How hackers steal accounts
Based on some information I learned, I will boldly guess the process of stealing accounts:
The WeGame in the Internet cafe was injected by the hacker, and then the hacker used the QQ login QR code of the watch to disguise it as the WeGame login QR code. The user's authorization information was hijacked. The hacker used the authorization information to interact with Tencent's server and send pictures in batches.
According to my inference, restore the crime scene:
First, hackers invaded a large Internet cafe management service provider and injected a phishing entrance into the WeGame software.
Then the Internet cafe under this service provider downloaded the injected WeGame.
The user went to the Internet cafe to surf the Internet. When he opened WeGame, he also opened the phishing entrance.
This phishing entrance shows a login error when entering the account and password.
Therefore, the user can only scan the QR code to log in. Once the user scans the code, what he sees is the login watch QQ.
The user was confused, but did not think too much and clicked OK to log in.
was authorized successfully, and the hacker obtained the authorization information.
During the whole process, the hacker did not directly steal your account password, but only obtained your authorization information through "phishing".
Tencent’s server only recognizes the authorization information and not the person. As long as the authorization information is correct, no matter who requests it, Tencent will let it go.
In this way, the hacker gained the trust of the server and allowed your account to send pictures in batches.
answered
According to the above inference, there will be several questions:
. Why are the people whose accounts have been hacked not pushed offline?
As mentioned above, what the hacker obtained was the authorization information of watch QQ. Watch QQ does not conflict with mobile QQ and computer QQ.
In other words, even if your mobile phone QQ is online, hackers can still send messages. Even if you withdraw, hackers can continue to send pictures.
. Is this the first time such a large number of account theft incidents have occurred?
is not. There was a similar case as early as May, but it seems that Tencent did not take it seriously.
. Why is QQ often stolen but not WeChat?
QQ was born in 1999. It is a product of ancient times and has many problems left over from history.
WeChat was born in 2011. It has skipped some of the pitfalls that QQ has stepped on, and the permission control is also stricter.
Although WeChat is not as powerful as QQ in terms of functionality, it has always done better than QQ in terms of security. After all, security is the foundation of software with financial attributes such as WeChat and Alipay . If security is not done well, you will not be able to continue playing.
. Why was QQ stolen even without scanning any code? Why was QQ, which had not been used for three hundred years, stolen? Why were the QQs of some deceased people stolen?
If this is really the case, then I can’t explain it. I can only let Tencent explain it.
Some other opinions
The above is my guess based on the information on the Internet. There are other opinions on the Internet.
The more mainstream ones are "learning communication information credential stuffing" and "js stealing authorization information".
Xuetong library
The core of this argument is that Xuetong leaked user information, and then some users’ Xuetong passwords were set the same as their QQ passwords, which indirectly led to the leakage of users’ QQ passwords.
I personally think this possibility is very low.
Why?
First, apps of the size of Tencent and Xuedutong will definitely desensitize and encrypt user passwords, and cannot directly attack credential stuffing.
Second, even if the encryption method is cracked and the user's password is obtained, it will be difficult to log in to the user's QQ directly. Because when logging in, new device login verification will be triggered. If you cannot get the user's login verification code, there is no way to log in successfully.
JS Obtain authorization information
According to Kuan boss @JiuXia2025, a large number of QQ was stolen this time because the user clicked on a certain link, and then the Cookie in the browser was hijacked by js, from which the hacker obtained the ability to control the QQ account key to send pictures in batches.
I have no doubt about the strength of the big guy.
I remain skeptical about the boss’s views.
First, I don’t believe that Tencent has not protected against js attacks after so many years.
Secondly, I don’t think that if you click on a link in QQ, QQ will authorize the browser to have the permission to “send messages”. If there is no "send message" permission, it will be meaningless even if the browser's authorization information is hijacked by js.
Summary
To summarize my point of view:
A rich man had too much money and it was always stolen, so the rich man spent a lot of money to build the most awesome door in the world. To open the door, he had to go through twenty-four mechanisms and Five password confirmations, and finally fingerprint and face verification are required.
Even so, the rich man's money was still stolen. Why is
still stolen?
The reporter interviewed this rich man.
This rich man only said one sentence: All responsibility lies with the user.
is written at the end
You still need to be technical. I predict that the process of scanning the QR code to log in will become a popular interview question in the near future.
Why?
First, it can verify whether the candidate has a keen grasp of technology.
Second, it can be well extended to other technical points. For example:
- Redis How to set the expiration time? Has it been used in projects? What are the differences between
- Token, Cookie, and Session?
- Why should poll the QR code status? Isn’t it possible to use Http long connection? Isn’t it possible to use Websocket?
- What other common attack methods are there? What are the countermeasures?
- Do you know OAuth2.0 and JWT? What is the difference and connection with the scan code login you mentioned?
Look, does this combination of punches flow smoothly and in one go?
So, you still have to continue learning!
After all, the end of the universe is the king of scrolls. If you don’t learn from him, he will become the king.
All the above inferences only represent personal opinions and are personal conjectures. All materials come from the Internet.
Everything is subject to the official announcement. If you don’t believe the rumors, don’t spread them.
References
- https://www.apereo.org/projects/cas
- https://juejin.cn/post/6844904111398191117
