Researchers say hackers can manipulate the
images and audio files that you receive on these platforms.
San Francisco: If you thought
instant messaging platforms like WhatsApp and Telegram that provide end-to-end
encryption give you rock-solid security, think again. Researchers from
cyber-security firm Symantec on Monday revealed the vulnerabilities that
allowed hackers to manipulate the images and audio files you receive on these
platforms.
The security flaw, dubbed "Media File
Jacking", affected WhatsApp for Android by default, and Telegram for
Android if certain features were enabled, Symantec researchers said in a blog
post.
According to the researchers, WhatsApp saves
files to external storage automatically, while Telegram does so when the
"Save to Gallery" feature is enabled. However, neither apps have any
system in place to protect users from a Media File Jacking attack, the
researchers from Symantec's Modern OS Security team explained.
Attackers could exploit this vulnerability to
scam victims in various ways.
"If the security flaw is
exploited, a malicious attacker could misuse and manipulate sensitive
information such as personal photos and videos, corporate documents, invoices,
and voice memos," wrote Software Engineer Alon Gat and Yair Amit,
Vice-President and Chief Technology Officer, Modern OS Security,
Symantec.
Giving example of image manipulation, the
researchers said a seemingly innocent, but actually malicious, app downloaded
by a user could manipulate personal photos in near-real time and without the
victim knowing.
The app runs in the background
and performs a "Media File Jacking attack" while the victim uses
WhatsApp. It monitors for photos received through the app, identifies faces in
photos, and replaces them with something else, such as other faces or
objects.
"A WhatsApp user may send a family photo to
one of their contacts, but what the recipient sees is actually a modified
photo. While this attack may seem trivial and just a nuisance, it shows the
feasibility of manipulating images on the
fly," said the blog
post.
Using the same vulnerability, the attackers
could make payment manipulation, audio message spoofing or spread fake
news.
"In one of the most damaging Media File
Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor
to a customer, to trick the customer into making a payment to an illegitimate
account," Gat and Amit wrote.
"The Media File Jacking threat is
especially concerning in light of the common perception that that the new
generation of IM (instant messaging) apps are immune to content manipulation
and privacy risks, thanks to the utilisation of security mechanisms like
end-to-end encryption," they added.
Reports in May revealed that a bug in WhatsApp's
audio call feature allowed hackers to install spyware onto Android and iOS
phones just by calling the target. The spyware was reportedly developed by the
Israeli cyber intelligence company NSO Group.
WhatsApp had said it identified and
"promptly" fixed the vulnerability that could enable an attacker to
insert and execute code on mobile devices.
Read more at:
//economictimes.indiatimes.com/articleshow/70231139.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
//economictimes.indiatimes.com/articleshow/70231139.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
No comments:
Post a Comment