一觉醒来,发现自己的QQ给爸妈、同学甚至是暗恋对象发了一堆黄图,以至于被举报、被封,被人挂上QQ空间,这样的社死现场,可能就是很多人昨天早上正在经历的绝望。
更严重的,还得在一身清白的情况下,手持身份证拍照,写下一份检讨书,告诉腾讯:“我以后再也不敢群发色图盗号了,求求你把号还给我吧。”
就连前段时间因为信息泄露社死的学习通,也被拉出来鞭了一轮尸,又社死了一次。
可能是大家的猜测越来越离谱,甚至有人怀疑企鹅监守自盗,眼看火要烧到自己屁股,QQ终于坐不住了。
主要原因是“扫描了假的游戏登录二维码授权登录造成的”。
根据网上网友的爆料,这一波大部分被盗网友都有过在网吧登录QQ相关的二维码账号的经历。
不是吧阿sir,以前人们都说在网吧不要输入账号密码,因为这样容易被记录下来。
但现在你跟我说最安全的扫二维码也会被盗,我是真的会谢。。。
这。。我还能愉快地在陌生的地方登录账号么?人与人之间的信任呢?
哎,啥也别说了。我们来研究下这种二维码中招的原理吧。
打开软件,拿手机App扫描二维码,点击确定登录,这个流程是不是十分简单?
但事实上,这里面涉及到了两层身份认证。
当你扫描二维码的时候,相当于告诉了服务器:我是谁;而点击确认之后,就是在和服务器确认,我真的是我。
为了安全起见,这两个步骤中任意一个拖太久了,系统就会判定你在骗它,让二维码失效,得重新自证一遍才能完成登录。
实时覆盖你电脑的二维码的话。。。
那么你以为你扫描的是网吧电脑的登录二维码,实际上你扫描的是黑客电脑上的登录二维码。
发现没有?这中间是有个时间差的,只要黑客趁登录二维码没有失效,把自己的二维码发给了你,扫完之后你又没有仔细看,顺手点了个确认。
直接在黑客的电脑上进行一波裸奔▼
还有网友分析,你登录的二维码有可能是你QQ手表端的登录二维码,而并不是电脑QQ。
一名知乎程序员的被盗血泪史▼
因为QQ手表是能和电脑端、手机端并行在线的,一旦黑客登录了你的QQ手表,能更方便黑客长时间的操控。
在这个界面里,并没有提示新设备登录的警告,只会在顶部出现一个登录QQ手表的提示,确实很容易忽略。
一旦点击了允许登录,那对方就可以拿着你的号在QQ手表端为所欲为了。
QQ手表登录后的界面▼
当然,QQ也给大家提供了不少的账号防护工具,比如设备锁,人脸识别等等。
但有网友反馈,就算开所有功能,账号依旧被盗了。
我们能做的可能除了祈祷QQ的风控做好外,只能多留个心眼,小心各种坑,保住自己的“身家清白”了。
其实在这次腾讯回复之前,网友们也有不少猜测。其中认同度比较高的,是十分经典的链接偷家操作。
这个操作可能有不少差友都中过。它实际上是利用了一种叫CSRF(跨站请求伪造)的漏洞。
简单来说,这种攻击不会让你输入敏感信息,也不会直接获取你的账号密码,但在你点击连接之后,攻击者能够仿造你的cookie,让平台以为他就是你本人。
基本上你登录了之后能做的事,攻击者都能做到。
只不过在18年的时候Google、阿里这些大厂就开始着手解决了,现在这个操作差不多是时代的眼泪了。
从最初的通过记录用户键盘的输入信息,到放入插件,贴牌,还有隐形木马。总有一不小心会中招的时候。
曾经有网友说,QQ防止被盗的头号方法就是用二维码扫描,而结果大家也都看到了。
确实,QQ登录不像微信那么反人类,在新手机上登录的时候需要手机验证码、二维码,消息提醒,有各种路障。
我们在享受到二维码登录便利的同时,黑客也享受到了相同的待遇。
尤其大家没有过小心二维码登录的意识,很多人看都不看登录确认页面的内容,直接手快点击确认。
现在的黑客,在登录了你的账后以后,也不再像以前一样,想着直接把QQ占为己有。
而是专门利用冻结账号前的时间群发广告诈骗信息来钓鱼。
而他们实现这一目的的犯罪成本极低,根本不需要知道你的密码!
所以不要在陌生地方登录自己的账号,貌似是断绝一切被盗的终极秘法。
最后,对于那些想解封的差友们,如果不是特别着急的话,差评君觉得可以等一波官方自动解封,至少可以逃避手持身份证拍照的二次社死。
撰文:萤火编辑:结界&面线封面:萱萱
图片、资料来源:
微博@腾讯[email protected]羲灬@追梦家李筱茶@kkura的小仙爷@[email protected]@秦不工@AlpacaKun
B站掌控安全学院:QQ登陆机制-新型二维码钓鱼
知乎-Snowfalke:简单认识CSRF
What’s more, when you are clean, you have to take a photo with your ID card in hand, write down a review and tell Tencent: & nbsp; “& nbsp; I will never dare to steal a group color map again. Please give it back to me. & nbsp; “
Even the learner, who died some time ago because of the information leakage society, was pulled out and whipped for a round, and the society died again.
It may be that everyone’s speculation is getting more and more outrageous, and some people even suspect that penguins are stealing from themselves. Seeing the fire burning to their own buttocks, QQ finally can’t sit still.
The main reason is that & nbsp; “& nbsp; scanned the fake game login QR code authorized login caused by & nbsp;” & nbsp;.
According to revelations from netizens online, most of the stolen netizens have the experience of logging into QQ-related QR code accounts in Internet cafes.
Come on, sir, people used to say that you should not enter your account password in Internet cafes because it is easy to be recorded.
But now that you tell me that the safest QR code scan will be stolen, I really appreciate it.
It’s… no, no. Can I still happily log in to my account in a strange place? What about trust between people?
Hey, don’t say anything. Let’s study the principle of this kind of QR code.
Open the software, take the phone App to scan the QR code, click OK to log in, this process is not very simple?
But in fact, there are two layers of authentication involved.
When you scan the QR code, you are telling the server who I am, and after clicking OK, you are confirming with the server that I am really me.
To be on the safe side, if either of these steps is delayed for too long, the system will determine that you are cheating it, invalidate the QR code and have to re-certify yourself to complete the login.
If you overwrite your computer’s QR code in real time.
So you think you are scanning the login QR code of the Internet bar computer, but in fact you are scanning the login QR code on the hacker’s computer.
Did you find out? There is a time difference, as long as the hacker sends you his own QR code while the login QR code does not fail, and you click on it to confirm it without looking at it carefully.
Do a wave of streaking directly on the hacker’s computer & nbsp;
According to some netizens’ analysis, the QR code you log in may be the QR code of your QQ watch, rather than the computer QQ.
A stolen Blood and tears History of a Zhihu programmer & nbsp;
Because QQ watches can be online in parallel with computers and mobile phones, once a hacker logs in to your QQ watch, it will be more convenient for hackers to operate for a long time.
In this interface, there is no warning to log in to the new device, only a prompt to log in to the QQ watch appears at the top, which is really easy to ignore.
Once you have clicked to allow login, the other person can take your number and do whatever you want on the QQ watch.
The interface of QQ watch after login & nbsp;
Of course, QQ also provides you with a lot of account protection tools, such as device locks, face recognition and so on.
But there is feedback from netizens, even if all the functions are turned on, the account is still stolen.
Perhaps all we can do is to pray that the risk control of QQ is well done, but we can only pay more attention to all kinds of pitfalls and keep our & nbsp; & nbsp; innocent & nbsp; & nbsp;.
In fact, before Tencent replied this time, netizens also had a lot of speculation. Among them, the one with a relatively high degree of identity is a very classic link theft operation.
Many bad friends may have won this operation. It actually exploits a vulnerability called CSRF (& nbsp; cross-site request forgery & nbsp;).
Simply put, this attack does not allow you to enter sensitive information or directly obtain your account password, but after you click on the link, the attacker can fake your cookie and make the platform think that it is you.
Basically, the attacker can do anything you can do after you log in.
Only in 18 years when Google, Ali these big companies began to solve, now this operation is almost the tears of the times.
From the initial record of the user’s keyboard input, to plug-ins, stickers, and invisible Trojans. There is always a time when you will get hit accidentally.
Some netizens once said that the number one way to prevent theft from QQ is to scan it with a QR code, and everyone has seen the result.
Indeed, QQ login is not as anti-human as Wechat, which requires mobile CAPTCHA, QR codes, message alerts and roadblocks when logging in on a new phone.
While we enjoy the convenience of QR code login, hackers also enjoy the same treatment.
In particular, we do not have the awareness of careful QR code login, many people do not look at the contents of the login confirmation page, just click to confirm.
Today’s hackers, after logging in to your account, no longer want to take QQ as their own, as they used to.
Instead, they specifically use the time before freezing their accounts to post mass advertising fraud messages to fish.
And the crime cost for them to achieve this goal is so low that they don’t need to know your password at all!
So don’t log on to your account in a strange place, it seems to be the ultimate secret to cut off all thefts.
Finally, for those poor friends who want to unseal, if they are not in a particular hurry, they feel that they can wait for a wave of official unsealing automatically, or at least avoid the second death of the society with ID cards in hand.
Author: Firefly & nbsp; Editor: boundary & nbsp;& face Line & nbsp; cover: Xuan Xuan
Pictures, data sources:
Weibo & nbsp;@ Tencent & nbsp; [email protected] & nbsp; Xizhi & nbsp;@ dreamer Li Xiaocha & nbsp;@kkura ‘s Little Xianye & nbsp;@ [email protected] @ & nbsp; Qin Bugong & nbsp;@AlpacaKun
Bilibili controls the School of Security: QQ login mechanism & nbsp;- new QR code fishing
Zhihu & nbsp;-Snowfalke: simple understanding of CSRF
相关文章