| 18.07,19. 02:16 PM |
Security flaw gives hackers access to your photos, videos and voice messages
A dangerous security flaw allowing hackers to gain access to your photos, videos and voice messages has been discovered on encrypted messaging services WhatsApp and Telegram.
These services claim to be safer than traditional texting methods as they encrypt messages so only the sender receiver can read them.
However, cyber security experts at Symantec have identified a tiny window of time where media files could be stolen and even edited by hackers.
The changes will allow Facebook, Instagram and WhatsApp to communicate
WhatsApp is one of the apps affected by the flaw. (Nine/Supplied)
The flaw has been dubbed “media file jacking” and affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.
“It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume,” researchers explained.
“This critical time lapse presents an opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge.
“While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code.”
Researchers said the flaw is due to Android phones saving files to an external storage public directory by default, meaning they can be modified by other apps or users.
It was found the ideal opportunity for exploitation arises in the time between when files are first received on a device and written to the disk and when they are loaded for users to consume via the apps.
“Think of it like a race between the attacker and the app loading the files. If the attacker gets to the files first - this can happen almost in real time if the malware monitors the public directories for changes - recipients will see the manipulated files before ever seeing the originals,” Symantec wrote.
Experts warn the security flaw could allow cyber criminals to manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos.
“In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Symantec wrote.
To ensure that media files are kept safe from malicious actors, Symantec recommend users store media files in a non-public directory, such as internal storage.
WhatsApp said the this to become an issue in the real world, a user’s device would have to become compromised via malware, which would likely present a risk to all apps running on a device, not just the encrypted messaging service.
“WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem," a spokesperson told nine.com.au.
"WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development.
"The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”
Telegram has also been contacted for comment.
HOW TO FIX THE FLAW
The WhatsApp and Telegram features that save media files to external storage can be disabled in the settings of the apps.
Simply open WhatsApp then go into Settings > Chats > Media Visibility and toggle the setting to off.
For Telegram, open Settings > Chat Settings > Save to Gallery and toggle the setting to off.