微博@腾讯[email protected]羲灬@追梦家李筱茶@kkura的小仙爷@[email protected]@秦不工@AlpacaKun
What’s more, when you are clean, you have to take a photo with your ID card in hand, write down a review and tell Tencent: & nbsp; “& nbsp; I will never dare to steal a group color map again. Please give it back to me. & nbsp; “
Even the learner, who died some time ago because of the information leakage society, was pulled out and whipped for a round, and the society died again.
It may be that everyone’s speculation is getting more and more outrageous, and some people even suspect that penguins are stealing from themselves. Seeing the fire burning to their own buttocks, QQ finally can’t sit still.
The main reason is that & nbsp; “& nbsp; scanned the fake game login QR code authorized login caused by & nbsp;” & nbsp;.
According to revelations from netizens online, most of the stolen netizens have the experience of logging into QQ-related QR code accounts in Internet cafes.
Come on, sir, people used to say that you should not enter your account password in Internet cafes because it is easy to be recorded.
But now that you tell me that the safest QR code scan will be stolen, I really appreciate it.
It’s… no, no. Can I still happily log in to my account in a strange place? What about trust between people?
Hey, don’t say anything. Let’s study the principle of this kind of QR code.
Open the software, take the phone App to scan the QR code, click OK to log in, this process is not very simple?
But in fact, there are two layers of authentication involved.
When you scan the QR code, you are telling the server who I am, and after clicking OK, you are confirming with the server that I am really me.
To be on the safe side, if either of these steps is delayed for too long, the system will determine that you are cheating it, invalidate the QR code and have to re-certify yourself to complete the login.
If you overwrite your computer’s QR code in real time.
So you think you are scanning the login QR code of the Internet bar computer, but in fact you are scanning the login QR code on the hacker’s computer.
Did you find out? There is a time difference, as long as the hacker sends you his own QR code while the login QR code does not fail, and you click on it to confirm it without looking at it carefully.
Do a wave of streaking directly on the hacker’s computer & nbsp;
According to some netizens’ analysis, the QR code you log in may be the QR code of your QQ watch, rather than the computer QQ.
A stolen Blood and tears History of a Zhihu programmer & nbsp;
Because QQ watches can be online in parallel with computers and mobile phones, once a hacker logs in to your QQ watch, it will be more convenient for hackers to operate for a long time.
In this interface, there is no warning to log in to the new device, only a prompt to log in to the QQ watch appears at the top, which is really easy to ignore.
Once you have clicked to allow login, the other person can take your number and do whatever you want on the QQ watch.
The interface of QQ watch after login & nbsp;
Of course, QQ also provides you with a lot of account protection tools, such as device locks, face recognition and so on.
But there is feedback from netizens, even if all the functions are turned on, the account is still stolen.
Perhaps all we can do is to pray that the risk control of QQ is well done, but we can only pay more attention to all kinds of pitfalls and keep our & nbsp; & nbsp; innocent & nbsp; & nbsp;.
In fact, before Tencent replied this time, netizens also had a lot of speculation. Among them, the one with a relatively high degree of identity is a very classic link theft operation.
Many bad friends may have won this operation. It actually exploits a vulnerability called CSRF (& nbsp; cross-site request forgery & nbsp;).
Simply put, this attack does not allow you to enter sensitive information or directly obtain your account password, but after you click on the link, the attacker can fake your cookie and make the platform think that it is you.
Basically, the attacker can do anything you can do after you log in.
Only in 18 years when Google, Ali these big companies began to solve, now this operation is almost the tears of the times.
From the initial record of the user’s keyboard input, to plug-ins, stickers, and invisible Trojans. There is always a time when you will get hit accidentally.
Some netizens once said that the number one way to prevent theft from QQ is to scan it with a QR code, and everyone has seen the result.
Indeed, QQ login is not as anti-human as Wechat, which requires mobile CAPTCHA, QR codes, message alerts and roadblocks when logging in on a new phone.
While we enjoy the convenience of QR code login, hackers also enjoy the same treatment.
In particular, we do not have the awareness of careful QR code login, many people do not look at the contents of the login confirmation page, just click to confirm.
Today’s hackers, after logging in to your account, no longer want to take QQ as their own, as they used to.
Instead, they specifically use the time before freezing their accounts to post mass advertising fraud messages to fish.
And the crime cost for them to achieve this goal is so low that they don’t need to know your password at all!
So don’t log on to your account in a strange place, it seems to be the ultimate secret to cut off all thefts.
Finally, for those poor friends who want to unseal, if they are not in a particular hurry, they feel that they can wait for a wave of official unsealing automatically, or at least avoid the second death of the society with ID cards in hand.
Author: Firefly & nbsp; Editor: boundary & nbsp;& face Line & nbsp; cover: Xuan Xuan
Pictures, data sources:
Weibo & nbsp;@ Tencent & nbsp; [email protected] & nbsp; Xizhi & nbsp;@ dreamer Li Xiaocha & nbsp;@kkura ‘s Little Xianye & nbsp;@ [email protected] @ & nbsp; Qin Bugong & nbsp;@AlpacaKun
Bilibili controls the School of Security: QQ login mechanism & nbsp;- new QR code fishing
Zhihu & nbsp;-Snowfalke: simple understanding of CSRF