Vulnerability Management

Flaw allows attackers to alter media files sent via WhatsApp, Telegram, say researchers


Researchers have reported a vulnerability in the Android versions of WhatsApp and Telegram that could allow malicious actors to manipulate media files sent via the apps.

This "media file-jacking" flaw could allow attackers to alter photographs, modify invoices (to aid in a financial scam), swap out files in a particular channel feed, or potentially even manipulate audio messages, warned cyber-software firm Symantec in a July 15 company blog post.

"The media file-jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks," wrote Symantec blog post authors Yair Amit, VP and CTO of modern OS security, and Alon Gat, software engineer. "However, as we’ve mentioned in the past, no code is immune to security vulnerabilities. While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code."

The researchers said the vulnerability exists because WhatsApp, in its default mode, and Telegram, when its "Save to Gallery" feature is enabled, both store media files that are received by a device in external storage. Storing them externally instead of internally means that other apps, including malicious ones that the user may have downloaded, now have the ability to access and modify the media files, provided that said apps are granted certain write-to-external storage permissions.

That leaves media files vulnerable to malicious manipulation and data integrity attacks in window of time between when received media are initially received and written to the disk and when they are loaded into the apps' chat user interface, Symantec explained.

"Think of it like a race between the attacker and the app loading the files. If the attacker gets to the files first – this can happen almost in real time if the malware monitors the public directories for changes – recipients will see the manipulated files before ever seeing the originals," the Symantec blog post said. "Additionally, data can be manipulated on WhatsApp both when sending files – meaning the attack is launched on the sender’s device – and when receiving files – with the attack happening on the receiving device."

(Embedded within Symantec's post is a YouTube video clip in which the researchers provide a humorous example of how an image might be altered, replacing two men's faces with the visage of actor Nicholas Cage.)

App users can insulate themselves from a media file-jacking attack by disabling the feature that saves media files to external storage, reported the Symantec team, which also recommended that app developers use internal storage whenever possible, encrypt sensitive files and validate the integrity of files by storing "in a metadata file a hash value for each received media file before writing it to the disk."

Symantec said it disclosed the issue to both Telegram and WhatsApp parent company Facebook. SC Media has reached out to these two companies for comment.

"WhatsApp has looked closely at this issue and it's similar to previous questions about mobile device storage impacting the app ecosystem," said a WhatsApp spokesperson in a statement provided to SC Media. "WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android's ongoing development. The suggested changes here [in Symantec's blog post] could both create privacy complications for our users and limit how photos and files could be shared."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.