WhatsApp, Telegram security flaw allows hackers to spoof your photos, voice
The latest security vulnerability in Telegram and WhatsApp allows hackers to spoof your voice and photos.
WhatsApp and Telegram are known for their security features such as end-to-end encryption which makes it difficult for hackers to snoop on your private messages. The two apps, however, don't really bring the same level of advanced security when it comes to storing your files on your device. Security researchers at Symantec have discovered a security flaw in the two popular messaging apps that allows hackers to spoof your private photos and videos without your knowledge. Researchers are calling the vulnerability as Media File Jacking.
How 'Media File Jacking' exploit works
The origin of the vulnerability lies in the way WhatsApp and Telegram handle storage of media files.
Researchers point out that Google recommends "files saved to the internal storage are private to your app, and other apps cannot access them (nor can the user, unless they have root access)." For external storage, Google says, it is the "best place for files that don't require access restrictions and for files that you want to share with other apps or allow the user to access with a computer."
WhatsApp, however, stores media files received by a device in the external storage which can be accessed through /storage/emulated/0/WhatsApp/Media/.
"When we researched the flow of how media files are handled in WhatsApp and Telegram, we found that in the time between when files are first received on a device and written to the disk, and when they are loaded for users to consume via the apps, the ideal opportunity for exploitation arises: malware can instantaneously analyze and manipulate the files (or just replace them with the attacker's chosen files) for malicious gain," wrote researchers in a blog post.
Researchers also have posted demonstration videos of how the new WhatsApp vulnerability works.
Spoofing your audio
In this scenario, hackers use voice recognition technology based on deep learning technology to modify your voice memos. Researchers point out that hackers not only reconstruct user's voice accurately but can also use these memos to make fake payment requests and conduct other frauds.
In this case, hackers can manipulate personal photos in near-real time and without the victim knowing. A malware app, running in the background, can launch Media File Jacking attack when the victim is using WhatsApp app.
"A WhatsApp user may send a family photo to one of their contacts, but what the recipient sees is actually a modified photo. While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly," noted researchers.
WhatsApp in its response to the latest report said that the company practices the best practices provided by Android for users' media storage.
"WhatsApp has looked closely at this issue and it's similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android's ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared," said a WhatsApp spokesperson in a statement.