Popular instant messaging apps WhatsApp and Telegram contain an unpatched zero-day vulnerability that can be exploited by threat actors and hackers to manipulate files shared across the messaging platform.
Security researchers from Symantec Modern OS Security team found out that there is an existing vulnerability that can allow hackers and cybercriminals to manipulate images, audio files, documents, and other forms of data sent from one user to another.
Both WhatsApp and Telegram, along with other instant messaging platforms, have end-to-end encryption — which makes the message safe to send and receive. End-to-end encryptions only allow the sender and the receiver to read the contents of the images, and even the company has no human-readable copies of the messages sent.
However, according to the researchers, the vulnerability, dubbed as “Media File Jacking” can bypass the end-to-end encryption in the said apps and works on Android by default for WhatsApp and on Telegram if certain features are enabled.
“It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume. This critical time lapse presents an opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge,” wrote Yair Amit, VP & CTO, Modern OS Security in a blog post together with Alon Gat, a software engineer.
“If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos. Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or wreak havoc.”
End-to-end encryption does not make an app immune to threat actors
The researchers said that users of instant messaging platforms are particularly vulnerable in this instance because of the assumptions that because these apps have end-to-end encryption, they are automatically immune from hacking. But that is definitely not the case, as illustrated by Symantec’s discovery.
“As we’ve mentioned in the past, no code is immune to security vulnerabilities. While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code,” they added.
The problem comes from how these apps store media files as end-to-end encryptions don’t work if the files were saved externally. When files are stored on external storage, other apps can access and manipulate them. On WhatsApp, data are stored externally by default, while on Telegram, the vulnerability is present if “Save to Gallery” is enabled.
Additionally, the Media File Jacking vulnerability, as the researchers said, points to a more significant issue of app developers’ non-secure use of storage resources.
Impact of the exploits
Researchers from Symantec raised the alarms as malicious actors can use the discovered vulnerability in different ways. Hackers can fundamentally alter images in a near real-time manner as sent by one user to another just by exploiting the zero-day. In a demo video released by Symantec, the researchers were able to change the faces of two men in an image to that of Nicolas Cage as the picture was being sent from one test account to another.
Furthermore, threat actors can also exploit the vulnerability by altering numbers in invoices in a bid to rewire payments to a different bank account number. To make matters worse, researchers said that the invoice-jacking modus can also be carried out without a specific target and could be broadly distributed, looking for any invoices to manipulate, affecting multiple victims who use IM apps like WhatsApp to conduct business.
“As in the previous scenario, an app that appears to be legitimate but is, in fact, malicious, watches for PDF invoice files received via WhatsApp, then programmatically swaps the displayed bank account information in the invoice with that of the bad actor. The customer receives the invoice, which they were expecting to begin with, but has no knowledge that it’s been altered. By the time the trick is exposed, the money may be long gone,” the report said.
The exploitation of the vulnerability may also come in the form of audio-spoofing where an attacker exploits the relations of trust between employees in an organization a the attacker can also program the new and manipulated file to mimic the voice of another person.
At the end of the day, Symantec is encouraging IM users to by disabling the feature that saves media files to external storage in order the mitigate the possible attacks using the exposed vulnerability.