Photo: Reuters
Photo: Reuters

What frequent vulnerabilities in WhatsApp and Telegram tell us

Recent reports of vulnerabilities in these platforms underscores the fact that these instant messaging apps are far from secure

BENGALURU : Encrypting messages and chats by default have endeared WhatsApp and Telegram to the privacy enthusiasts. However, recent reports of vulnerabilities in these platforms underscores the fact that these instant messaging apps are far from secure.

A case in point is the Double Free vulnerability in WhatsApp for Android that was reported last week by a researcher named Awakened. In a technical page on GitHub, the researcher points out that the attack could be carried out by sending a malicious GIF (graphics interchange format) file as a document to WhatsApp on any smartphone running Android 8.0 or higher version. All the attacker has to do is wait until the user opens the photo gallery within WhatsApp to send a media file to another contact.

Facebook acknowledged the vulnerability and patched it in version 2.19.244. The vulnerability could be exploited to install a malicious app and steal files in WhatsApp sandbox including message database. It could also be used to give hackers remote administrative access over the device.

“The most alarming aspect of this vulnerability is that it is actually a vulnerability in a software component, a media library used by WhatsApp," said Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group.

The fact that the there are apps that use the same library suggest there may be more vulnerable platforms out there.

This July, researchers at Symantec reported a vulnerability called Media File jacking, which occurs due to the time lapse between when the media files are written to the disk and when they are loaded in the app’s chat interface. Both WhatsApp and Telegram store media files received by a device in external storage as public directories.

The fact that files are stored and loaded from external storage without proper security in place makes them susceptible to manipulation. In this case, researchers showed how malware can be used to manipulate and replace the actual file with a malicious one. Researchers at Symantec pointed out, vulnerabilities like Media File Jacking will exist and open door to manipulation as long as app developers will continue to use storage resources in an unsecure manner.

Not to forget, the spyware attack from May 2019, in which a spyware called Pegasus was installed on a users’ phone after a call was made, even if they don’t answer. To avoid detection, the spyware erased the incoming call from the app’s call logs. Facebook identified the flaw as a buffer overflow vulnerability in WhatsApp’s VOIP stack, which allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

With Pegasus, attackers were able to avoid application sandbox implemented by Android OS and access text messages, activate the microphone and camera, and steal other sensitive information on the device.

At the BlackHat conference in August 2019, CheckPoint Research demonstrated how WhatsApp’s source code could be reverse-engineered to successfully intercept and manipulate private messages. Researchers first reversed its algorithm to decrypt the data and found that the messaging platform was using the protobuf2 protocol for encryption.

By converting the protobuf2 data to JSON (JavaScript Object Notation), a data interchange format, they were able to access the public and private keys and manipulate the messages.

Researchers were able to spoof a reply message by sending it first to themselves so they can modify the content and then send the message back to the recipient. They also showed how an attacker can change the identity of a sender in a group chat.

“Users should keep an eye on WhatsApp updates and download new versions immediately to stay secure as many of the updates can be patches for such vulnerabilities," cautioned Victor Chebyshev, security researcher at Kaspersky.

Knudsen points out, the double free vulnerability shows how software depends on a complex interaction of components. Tracking the software supply chain, as part of a secure software development lifecycle, will allow such platforms to understand the interdependencies of software and minimise such risks in the future.

End-to-end encryption protects users from being targeted by hackers, government and ISPs, but the platforms offering those services have not been built with security as a prerequisite from the scratch, which is why new vulnerabilities keep surfacing frequently.

Close