WhatsApp, Telegram media files could be manipulated

July 15, 2019

San Francisco:  If you thought instant messaging platforms like WhatsApp and Telegram that provide end-to-end encryption give you rock-solid security, think again. Researchers from cyber-security firm Symantec on Monday revealed vulnerabilities that allowed hackers to manipulate the images and audio files you receive on these platforms.

The security flaw, dubbed “Media File Jacking”, affected WhatsApp for Android by default, and Telegram for Android if certain features were enabled, Symantec researchers said in a blog post.

According to the researchers, WhatsApp saves files to external storage automatically, while Telegram does so when the “Save to Gallery” feature is enabled. However, neither apps have any system in place to protect users from a Media File Jacking attack, the researchers from Symantec’s Modern OS Security team explained.

Attackers could exploit this vulnerability to scam victims in various ways.

“If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos,” wrote Software Engineer Alon Gat and Yair Amit, Vice-President and Chief Technology Officer, Modern OS Security, Symantec.

Giving example of image manipulation, the researchers said a seemingly innocent, but actually malicious, app downloaded by a user could manipulate personal photos in near-real time and without the victim knowing.

The app runs in the background and performs a “Media File Jacking attack” while the victim uses WhatsApp. It monitors for photos received through the app, identifies faces in photos, and replaces them with something else, such as other faces or objects.

“A WhatsApp user may send a family photo to one of their contacts, but what the recipient sees is actually a modified photo. While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly,” said the blog post.

Using the same vulnerability, the attackers could make payment manipulation, audio message spoofing or spread fake news.

“In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Gat and Amit wrote.

“The Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM (instant messaging) apps are immune to content manipulation and privacy risks, thanks to the utilisation of security mechanisms like end-to-end encryption,” they added.

Reports in May revealed that a bug in WhatsApp’s audio call feature allowed hackers to install spyware onto Android and iOS phones just by calling the target. The spyware was reportedly developed by the Israeli cyber intelligence company NSO Group.

WhatsApp had said it identified and “promptly” fixed the vulnerability that could enable an attacker to insert and execute code on mobile devices.

IANS

AAP accuses BJP of ‘poaching’ MP, MLA in Punjab

New Delhi: AAP leader and Delhi Minister Saurabh Bharadwaj on Thursday alleged that BJP has poached their party's MP Sushil Kumar Rinku and MLA Sheetal Angural, and that "numerous MLAs...

Meghalaya CM thanks PM Modi for not fielding BJP candidates

Shillong: Meghalaya Chief Minister Conrad Sangma has thanked Prime Minister Narendra Modi for not fielding BJP candidates in two parliamentary seats in the state. The Chief Minister has been campaigning...

US State Dept staffer resigns over Washington’s Gaza policy

Washington: A US State Department staffer responsible for promoting human rights in regions including Gaza has resigned in protest of the continued delivery of weapons from the US to Israel....

SP changes Moradabad candidate, drops sitting MP

Moradabad (UP): The Samajwadi Party has cancelled the candidature of its sitting MP, S T Hasan, and has named Ruchi Veera as its candidate for the Moradabad Lok Sabha seat....

AAP’s lone Lok Sabha MP from Jalandhar Sushil Kumar Rinku joins BJP

New Delhi: In a major political setback to the ruling Aam Aadmi Party (AAP) in Punjab, the party's lone MP in the Lok Sabha, Sushil Kumar Rinku (48), joined the...

Chaudhary Lal Singh files nomination for Kathua-Udhampur LS seat in J&K

Jammu: Chaudhary Lal Singh of the Congress filed nomination for the Kathua-Udhampur Lok Sabha seat on Wednesday, the last date of filing papers for the constituency. Accompanied by dozens of...

Private information of 2.7 million Pakistanis compromised

Islamabad: A joint investigation team (JIT), which was formed to probe data leak from National Database and Registration Authority (Nadra), has confirmed that the personal information of 2.7 million Pakistanis...

Sadanand Vasant appointed new NIA chief; BPRD, NDRF get new DGs

New Delhi: The Centre has appointed Sadanand Vasant Date as the Director General of the National Investigation Agency (NIA), while IPS officers Rajeev Kumar Sharma and Piyush Anand have been...

China demands probe after 5 Chinese nationals killed in Pakistan suicide attack

Islamabad: China has demanded a thorough investigation after five of its nationals and one Pakistani citizen were killed in an attack on a convoy in Besham city of Khyber Pakhtunkhwa's...

NEET aspirant from UP village commits suicide in Kota

Jaipur: A NEET aspirant from Uttar Pradesh committed suicide in Rajasthan's Kota, confirmed officials on Tuesday. Uruj, 20, was a resident of the Samdhan village of Uttar Pradesh's Kannauj and...

Litmus test for Yediyurappa in K’taka LS polls after gaining upper hand in ticket distribution

Bengaluru: The 81-year-old BJP warhorse, former Chief Minister, BS Yediyurappa is facing a litmus test in terms of winning the maximum seats for the party after gaining an upper hand...

Cong leaders in Assam are fixed deposits for BJP, says CM Himanta Biswa Sarma

Guwahati: In yet another attack on Rahul Gandhi, Assam Chief Minister Himanta Biswa Sarma said that the future of the Congress leader and his party is bleak. He told the...

Read Previous

Lok Sabha sees feace-off between Owaisi, Shah in NIA bill debat

Read Next

Rohit, Bumrah in ICC’s WC XI, no place for Kohli

Leave a Reply

Your email address will not be published.

WP2Social Auto Publish Powered By : XYZScripts.com