Vulnerability in WhatsApp and Telegram could allow hackers to manipulate your private media files
Researchers from cyber-security firm Symantec on Mondayย revealed in a blog post that a flaw in popular instant messaging and end-to-endย encryption platforms, WhatsApp and Telegram could allow hackers to manipulate your private media files that are transferred through these services.
According to Symantec researchers, the security flaw dubbed as “Media File Jacking” affected WhatsApp for Android by default, and Telegram for Android if certain features were enabled.
The vulnerability arises from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the appsโ chat user interface (UI) for users to consume. This critical time-lapse allows malicious actors to intrude and manipulate media files without the userโs knowledge.
“If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos,” wrote Software Engineer Alon Gat and Yair Amit, Vice-President and Chief Technology Officer, Modern OS Security, Symantec.ย โAttackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or to wreak havoc.โ
While WhatsApp saves files such as photos or videos automatically to external storage by default, the vulnerability is present on Telegram if “Save to Gallery” is enabled.
Media File Jacking allows the maliciousย Androidย application withย write-to-external storageย permission to quickly modify files sent or received viaย WhatsApp andย Telegram.
Researchers showed how a malicious app can be used to scam victims in many different ways. They tested malware it had created to manipulate image and audio files sent through WhatsApp and Telegram.
Giving example of image manipulation, the researchers said โa seemingly innocent, but actually malicious, app downloaded by a user could manipulate personal photos in near-real-time and without the victim knowing.โ
In case of the above clip, one can see that a photo of two friends were sent. However, the image was replaced with image of actor Nicholas Cage by the malware on the recipient’s device automatically.
“A WhatsApp user may send a family photo to one of their contacts, but what the recipient sees is actually a modified photo. While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly,” said the blog post.
The attackers can also use the same vulnerability to alter payments or voice notes, which can be a really dangerous scenario.
“In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Gat and Amit wrote.
โAn app that appears to be legitimate but is in fact malicious, watches for PDF invoice files received via WhatsApp, then programmatically swaps the displayed bank account information in the invoice with that of the bad actor. The customer receives the invoice, which they were expecting to begin with, but has no knowledge that itโs been altered. By the time the trick is exposed, the money may be long gone,โ they added.
โTo make matters worse, the invoice hack could be broadly distributed in a non-targeted way, looking for any invoices to manipulate, affecting multiple victims who use IM apps like WhatsApp to conduct business.โ
The company also said that the hack could be used to spread misinformation in Telegram “channels,” which are used to broadcast messages to huge numbers of users.
Symantec researchers have already notified WhatsAppย and Telegram about theย Media File Jacking vulnerability and have also made multiple suggestions to change file validation and storage on their platforms to patch up the vulnerability.
However, a WhatsAppย spokesperson said making changes to its storage system would restrict the serviceโs ability to share media files, and also crop up new privacy issues.
โWhatsApp has looked closely at this issue and itโs similar to previous questions about mobile device storage impacting the app ecosystem,โย the spokesperson said in a statement.ย โWhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Androidโs ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.โ
Also read- WhatsApp To Take Legal Action If You Send Bulk Messages, Misuse App
Telegram has not yet responded on the matter.