WhatsApp and Telegram media files are vulnerable to hackers who could manipulate the media files received on these messaging platforms, according to cyber-security firm Symantec. Researchers from the firm disclosed the flaws to WhatsApp and Telegram as well. The ‘Media File Jacking’ flaw could allow potential hackers to alter images and audio files.
Media File Jacking on WhatsApp, Telegram: What’s the danger?
The security flaw, dubbed as “Media File Jacking” by Symantec, affects WhatsApp for Android by default, and Telegram for Android if the ‘Save to Gallery’ feature is enabled. An attacker could manipulate information such as photos, videos, documents, invoices and even voice memos by accessing these files as they are shared, received by these apps. However, all of this would depend on whether malware was already installed on the user’s smartphone.
What happens in Media File jacking is that a malicious app installed on a user’s device could change numbers in a photo of an invoice to scam victims into giving money to the wrong person. Or attackers could modify personal photos received on these platforms, spoof audio messages or spread fake news by accessing and modifying the media files.
Symantec’s researchers created a malware and tested it to manipulate image and audio files sent through WhatsApp and Telegram. In a demo clip shared by the security firm (embedded above), a person sent a photo of two friends, but the recipient’s device with malware installed on it received an image where the two faces were replaced by that of actor Nicolas Cage.
“A WhatsApp user may send a family photo to one of their contacts, but what the recipient sees is actually a modified photo. While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly,” said the security firm.
So how is the Media File jacking attack carried out ?
According to Symantec, the attack can take place due to the time lapse when a media file is received via the app and written to the disk and when it is loaded in the chat interface. The time lapse here is what could be exploited by malicious actors to intervene and manipulate media files without the user’s knowledge, says Symantec.
While the end-to-end encryption protects messages from surveillance and keeps the conversation on the platform hidden even from the companies themselves, it does not make these apps foolproof.
According to the security firm, when files are stored on external storage on Android, which is what WhatsApp uses by default and Telegram uses when the user enables ‘Save to Gallery’ feature, other apps can access these files and if a malware is present it can manipulate them.
On Android, apps write files to internal or external storage, though the ones written in external storage can be modified and accessed by other apps as well. Symantec in its blog post notes, “the fact that files are stored in, and loaded from, external storage without proper security mechanisms… allows other apps with write-to-external storage permission to risk the integrity of the media files.”
It notes that the “Write-to-external storage” is very common permission granted on Android with over a million apps in Google Play having this access. The risk is that with WhatsApp and Telegram granting this permission, a user’s media files could be vulnerable for misuse in case a malware finds its way to the device.
What’s the solution?
The security firm has laid down several options developers can adopt to protect against the threat. One possible way is for developers to check the integrity of files by storing a hash value in the metadata of each received media file, before writing it to the disk. Other options include storing files to internal storage and encryption for the media files as well.
This is not the first time security flaws in these apps have been exposed. In May this year, it was reported that a WhatsApp flaw allowed hackers to install spyware on a device with just a simple phone call. Back in 2017, Telegram was found to have a flaw that could let hackers take over accounts.