Ethical hacking specialists from cybersecurity firm Symantec reported the discovery of a vulnerability that, if exploited, would allow a hacker to access files (such as photos, videos or PDF documents) shared via WhatsApp and Telegram.
The vulnerability, dubbed by experts as ‘Media File Jacking’, exists due to the time span between writing a file on the receiver’s disk and loading it into the application’s user interface. Although end-to-end encryption seems to be the ultimate security measure for instant messaging services, this discovery is indeed a security risk to be worried about.
Symantec’s ethical hacking experts have already notified WhatsApp and Telegram, which together have more than 1.5 billion active users, about this flaw. Researchers claim that they also have a list of applications capable of exploiting this vulnerability.
Regarding these reports, WhatsApp, owned by Facebook, published a statement mentioning that “an analysis of this incident has been done and we can confirm that it is similar to inconveniences with the storage of mobile systems affecting some apps reported before. WhatsApp complies with the highest information security practices,” the company added.
Despite how bad this sounds, users of instant messaging services can implement some measures to mitigate the risk of exploiting this flaw. For example, you can disable the feature that allows you to store files received by these platforms on external drives (SD cards, etc).
In the event that a threat actor manages to exploit this flaw, they may be able to access sensitive user information for use for malicious purposes, such as blackmail or identity fraud.
In addition to revealing this vulnerability, ethical hacking experts discovered the existence of a malicious application known as MobonoGram 2019, which they identified as a fraudulent version of the Telegram app.
According to the specialists of the International Institute of Cyber Security (IICS), although this application includes some basic Telegram functions (such as sending text), some services were also running in the background, in addition to that dozens of malicious sites could be opened at once. The app was even available on the Google Play Store and was downloaded about 100 thousand times before being reported and removed from the platform.