Ethical hacking specialists from cybersecurity firm Symantec reported the discovery of a vulnerability that, if exploited, would allow a hacker to access files (such as photos, videos or PDF documents) shared via WhatsApp and Telegram.
The vulnerability, dubbed by experts as ‘Media
File Jacking’, exists due to the time span between writing a file on the
receiver’s disk and loading it into the application’s user interface. Although
end-to-end encryption seems to be the ultimate security measure for instant messaging
services, this discovery is indeed a security risk to be worried about.
Symantec’s ethical hacking experts have already
notified WhatsApp and Telegram, which together have more than 1.5 billion
active users, about this flaw. Researchers claim that they also have a list of
applications capable of exploiting this vulnerability.
Regarding these reports, WhatsApp,
owned by Facebook, published a statement mentioning that “an analysis of
this incident has been done and we can confirm that it is similar to
inconveniences with the storage of mobile systems affecting some apps reported
before. WhatsApp complies with the highest information security
practices,” the company added.
Despite how bad this sounds, users of instant
messaging services can implement some measures to mitigate the risk of
exploiting this flaw. For example, you can disable the feature that allows you
to store files received by these platforms on external drives (SD cards, etc).
In the event that a threat actor manages to
exploit this flaw, they may be able to access sensitive user information for
use for malicious purposes, such as blackmail or identity fraud.
In addition to revealing this vulnerability,
ethical hacking experts discovered the existence of a malicious application known
as MobonoGram 2019, which they identified as a fraudulent version of the
Telegram app.
According to the specialists of the
International Institute of Cyber Security (IICS), although this application
includes some basic Telegram functions (such as sending text), some services
were also running in the background, in addition to that dozens of malicious
sites could be opened at once. The app was even available on the Google Play
Store and was downloaded about 100 thousand times before being reported and removed
from the platform.
