Security flaws in messaging apps allow hackers to alter images
Published: 11:23 AM, 16 July 2019
Despite the end-to-end encryption of secure messaging apps — Whatsapp, Telegram — protecting people from government surveillance, researchers from Symantec, a software company, has disclosed flaws that could allow potential hackers to alter images and audio files.
While the sender might have sent, for example — a photo of a map, malware could set on WhatsApp and Telegram to replace the photo and give the recipient the wrong directions.
In another example, say, the malware could change numbers in a photo of an invoice number- to scam victims into giving money to the wrong person.
Secure messaging apps are an important tool for activists, politicians who want to keep their conversations protected from surveillance. Messaging apps such as Signal, WhatsApp, Telegram and iMessage have end-to-end encryption — which means conversations are hidden from the companies themselves.
While the encryption protects messages from surveillance, it doesn’t mean that the apps are vulnerable.
In May, a report was published that a WhatsApp flaw allowed hackers to install spyware — on devices with a ‘simple phone call’.
The security researchers of Symantec also disclosed a Telegram vulnerability in 2017 that allowed hackers to take over accounts.
The new vulnerability disclosed on Monday doesn’t allow for account hijacking, but it was done for fraud, Symantec’s researchers said.
Recently, Symantec said in a blog that the security flaw stemmed from how media files are stored on WhatsApp and Telegram. When files are stored on external storage, other apps can access and manipulate them.
On WhatsApp, files are stored externally by default, while on Telegram, the vulnerability is present if ‘Save to Gallery’ is enabled.
So, the Symantec’s researchers tested the malware by creating a manipulate image and audio files and sent through WhatsApp and Telegram.
Meanwhile, WhatsApp said in a statement — “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development.”
However, Telegram didn’t comment regarding the mater.
So, If anyone using these apps, they can protect from this risk by changing settings for media storage. On WhatsApp, they can do this by going to settings, and switching off ‘Media Visibility’. On Telegram, they can protect by switching off ‘Save to Gallery’.
But WhatsApp said that the suggested changes could create privacy issues and limit how images are shared. Many apps save images in external storage so people can save pictures even when the app is uninstalled, and “most Android devices do not provide enough internal storage”, the company said.