Demystifying the (In)Security of QR Code-based Login in Real-world Deployments
Xin Zhang
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Web and Mobile Security
The proliferation of QR code-based login systems across a myriad of digital platforms, from social media and e-commerce to cloud storage and gaming, has revolutionized user convenience. By simply scanning a QR code with a trusted mobile application, users can bypass traditional password entry, fostering a perception of enhanced security and ease of access. However, this talk, presented by Xin Zhang from Fudan University in collaboration with Sun Yat-sen University, critically dismantles this perception, revealing a surprisingly fragile reality beneath the surface of widespread QR login implementations. The core problem, as highlighted by the research, stems from the complete absence of an industry-wide implementation standard, leading each service provider to develop its own bespoke system with varying degrees of security rigor.
AI review
First systematic empirical study of QR login security across real-world deployments, with 43% of 109 sites showing exploitable flaws and 42 confirmed CVE-class vulnerabilities. The attack taxonomy is original, the methodology is reproducible, and the scale of affected users makes this matter. Not a 5 because the underlying flaws are individually unsurprising — the contribution is the systematic measurement, not the cryptographic novelty.