Tencent admits to poisoned QR code attack on QQ chat platform
Could it be Beijing was right about games being bad for China?
Chinese web giant Tencent has admitted to a significant account hijack attack on its QQ.com messaging and social media platform.
In a post to rival social media platform Sina Weibo – a rough analog of Twitter – Tencent apologized for the incident.
The problem manifested on Sunday night and saw an unnamed number of QQ users complain their credentials no longer allowed them access to their accounts. Tencent has characterized that issue as representing "stolen" accounts.
Tencent asserts the incident stared with criminals posting QR codes that claimed to offer game logins. Users who scanned the codes were asked to authenticate using their QQ creds.
Which was a mistake, as the criminals behind the scam observed those logins. A machine translation of Tencent's explanation produces the phrase "the login behavior was hijacked and recorded by the black industry gang, and then used by criminals to send bad picture ads," which does not read like something you want to happen.
Users were also locked out of their accounts.
Tencent's security team swung into action and the company stated that by early Monday morning accounts had been restored. The web giant is now gathering evidence to share with local authorities and has pledged co-operation.
- Tencent's WeChat wants no more talk of cryptocurrency and NFTs
- Tencent completes 50 million core migration of its own apps to its own clouds
- Tencent happily parting ways with loss-making cloud customers
Those authorities are likely to be interested in Tencent and whoever created the poison QR codes, as China has recently made it clear it expects its web giants to take their responsibility to the nation seriously. If Tencent is held to have provided insufficient security to prevent this incident, a "rectification notice" will soon be headed its way. Such notices are usually resolved with some behind the scenes work to fix the issue and then a public admission that the entity in receipt of the notice should really have done better to begin with and won't be so lax again.
China has in recent weeks eased its criticism of its web giants, and suggested their expansion is acceptable provided they make positive contributions to society and promote socialist values.
Beijing, however, does not believe that games are a good expression of those values. It has made several moves to restrict development of the local gaming industry and prevent youth from spending more than a few hours a week gaming.
That this incident started with a game-related lure will not have escaped authorities' attention. ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- China Mobile
- China telecom
- China Unicom
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Cyberspace Administration of China
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Great Firewall
- Hong Kong
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Semiconductor Manufacturing International Corporation
- Trusted Platform Module
- Uyghur Muslims
- Zero trust