Symantec researchers find a vulnerability that affects the file storage system of applications such as WhatsApp or Telegram WhatsApp is, by far, one of the most used applications by users around the world. There are more than 1,500 million registered profiles and the indispensable tool in digital communications. That is why the moments in which they produce disconnections and, of course, technical failures, are still worrisome. The “app” implemented two years ago, and after so many other critics, an end-to-end security system that promises great security of conversations.
But cybercriminals are skilled. They always find some way to penetrate systems. An investigation by security firm Symantec has discovered evidence of a significant vulnerability that allows a malicious person to manipulate the images and videos sent before it reaches its recipient. This security flaw, called ” Media File Jacking “, affects WhatsApp for Android by default and Telegram for Android if certain functions are enabled. It also allows you to modify the audio files.
This problem affects only the versions of Android mobile devices, the most widespread operating system in the world. It is an attack of type sequestration of images and is produced, according to the researchers, by the system implemented by this digital service when storing the files. Both applications save the images received by the users without an identification chain that informs if they have been altered by a third-party application.
It is an opportunity that, well exploited, can sow confusion among users. The researchers explain that the failure is due to the time that elapses between the time the files are received and when they are loaded into the chat interface of the applications for users to consume them. That is to say, the moment in which the users request the order to download the image to see it can be intercepted and, therefore, the privacy of the people can run at risk.
«This critical time lapse presents an opportunity for cybercriminals to intervene and manipulate multimedia files without the knowledge of the user. If the security breach is exploited, an attacker could manipulate confidential information, such as personal photos and videos, corporate documents, invoices, and voice notes, “said Yair Amit and Alon Gat, authors of the investigation, in a statement.
Experts believe that although end-to-end encryption is an effective mechanism to guarantee the security of communications, this system is not sufficient if there are vulnerabilities in the programming code. ” What we discovered in the investigation is that attackers can successfully manipulate multimedia files taking advantage of the logical failures of the applications, which occur before or after the content has been encrypted,” the researchers add.
By default, WhatsApp stores the multimedia files received by a device in an external storage in the following path: / storage / emulated / 0 / WhatsApp / Media. In Telegram, if a user enables the “Save in the gallery” function, assuming it is secure and without understanding its indirect ramifications, the “app” will store the contents of the files in a similar way in: / storage / emulated / 0 / Telegram /. The problem, the researchers point out, is that both are public directories: “the applications load the files received from the public directories so that the users can see them in the chat interface when they enter the corresponding chat “, they point out.
Therefore, the fact that files are stored and loaded from external storage without the proper security mechanisms can compromise the integrity of multimedia files. If the attacker first accesses the files (this can happen in real-time if a “malware” monitors the public directories to detect changes), the recipients will see the manipulated files before viewing the originals. In addition, the thumbnail that appears in the notification that users see will also show the manipulated image or file, so the recipients will not have any indication that the files have been changed. Experts believe that to avoid this possible problem, it is more convenient to save the images in a storage service in the “cloud” or on the device itself.
Other experts believe that the failure is not too serious but that, once again, demonstrates the impact of user permissions on the most popular applications. “The operation of the failure is based on user permissions. Each app has access only to its files. What happens is that if you one of those files – a photo that comes to you from another contract – if you leave it on the reel of photos, all the app that has access to the reel will have access to the photos. The “bug” shows, clearly, why it is necessary to limit the access to according to what application permits “, points to this newspaper Lorenzo Martínez, Securízame security expert