According to new research by Symantec, a new security flaw called 'Media File Jacking' could expose WhatsApp and Telegram media files on Android devices and it could be manipulated by malicious actors too. The media files and sensitive information could be misused if the security flaw is exploited. The 'Media File Jacking' security flaw affects WhatsApp for Android by default and the report reveals that it also affects Telegram for Android if certain features are enabled. The flaw is originated from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface for users to consume. This time-lapse gives the opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge. WhatsApp supports an end to end encryption and Telegram provides end-to-end encryption for voice calls and optional end-to-end "secret" chats. But in spite of this, attackers may be able to successfully manipulate media files by taking advantage of logical flaws in the apps, that occur before and/or after the content is encrypted in transit, reveals the research. The findings also reveal that files saved to external storage are world-readable/writable and could be modified by other apps ...
Tuesday, 16 July 2019
Media File Jacking security flaw affects WhatsApp and Telegram media files on Android devices
According to new research by Symantec, a new security flaw called 'Media File Jacking' could expose WhatsApp and Telegram media files on Android devices and it could be manipulated by malicious actors too. The media files and sensitive information could be misused if the security flaw is exploited. The 'Media File Jacking' security flaw affects WhatsApp for Android by default and the report reveals that it also affects Telegram for Android if certain features are enabled. The flaw is originated from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface for users to consume. This time-lapse gives the opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge. WhatsApp supports an end to end encryption and Telegram provides end-to-end encryption for voice calls and optional end-to-end "secret" chats. But in spite of this, attackers may be able to successfully manipulate media files by taking advantage of logical flaws in the apps, that occur before and/or after the content is encrypted in transit, reveals the research. The findings also reveal that files saved to external storage are world-readable/writable and could be modified by other apps ...
