Security flaw gives hackers access to your photos, videos and voice messages

| 18.07,19. 02:16 PM |

Security flaw gives hackers access to your photos, videos and voice messages

A dangerous security flaw allowing hackers to gain access to your photos, videos and voice messages has been discovered on encrypted messaging services WhatsApp and Telegram.

These services claim to be safer than traditional texting methods as they encrypt messages so only the sender receiver can read them.

However, cyber security experts at Symantec have identified a tiny window of time where media files could be stolen and even edited by hackers.

The changes will allow Facebook, Instagram and WhatsApp to communicate

WhatsApp is one of the apps affected by the flaw. (Nine/Supplied)

The flaw has been dubbed “media file jacking” and affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.

“It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume,” researchers explained.

“This critical time lapse presents an opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge.

“While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code.”

Researchers said the flaw is due to Android phones saving files to an external storage public directory by default, meaning they can be modified by other apps or users.

It was found the ideal opportunity for exploitation arises in the time between when files are first received on a device and written to the disk and when they are loaded for users to consume via the apps.

“Think of it like a race between the attacker and the app loading the files. If the attacker gets to the files first - this can happen almost in real time if the malware monitors the public directories for changes - recipients will see the manipulated files before ever seeing the originals,” Symantec wrote.

Experts warn the security flaw could allow cyber criminals to manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos.

“In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Symantec wrote.

To ensure that media files are kept safe from malicious actors, Symantec recommend users store media files in a non-public directory, such as internal storage.

WhatsApp said the this to become an issue in the real world, a user’s device would have to become compromised via malware, which would likely present a risk to all apps running on a device, not just  the encrypted messaging service.

“WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem," a spokesperson told

"WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development.

"The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”

Telegram has also been contacted for comment.


The WhatsApp and Telegram features that save media files to external storage can be disabled in the settings of the apps.

Simply open WhatsApp then go into Settings > Chats > Media Visibility and toggle the setting to off.

For Telegram, open Settings > Chat Settings > Save to Gallery and toggle the setting to off.


(Votes: 0)

Other News

Pedestrian dead after being hit on major Melbourne freeway Narangba mother Carly Robson and three children missing since last week Burning cars spark apartment scare Police on hunt for escaped inmate in Illawarra, Liverpool homes evacuated after fire scare Traffic delays in Brisbane as police negotiate with armed man Security fears raised over face ageing app Festival deaths: Final texts sent by Alex Ross-King revealed Origin Energy accused of pressuring NSW Government to shut down popular sports camp AEMC urges change to allow users to sell power back to the grid to guarantee energy demand Police bomb squad called to Adelaide city street after explosives allegedly found Message thrown overboard 50 years ago washes up, sparking search for author Paul Gilmore Thousands sign petition calling for boycott of Coles over Little Shop 2 collection Sunshine Coast man charged with rape, sexual assault and recording women using 'spy cameras' in towel racks UTS, Curtin unis announce reviews over links to surveillance tech used by Chinese Government Private health care facing 'death spiral' if young, healthy users abandon insurance, report says AFP raid on ABC reveals investigative journalism being put in same category as criminality Bungendore cocaine bust sees more than 380kg seized from inside second-hand excavator Adelaide, Brisbane property prices set to rise by 2022 Teenage girl in 'serious but stable' condition after being pinned under bus in Parramatta Why Luke Howarth's claims on homelessness in Australia get mixed verdicts Newstart allowance boost needed, COTA chief says, following tax cuts and deeming rate changes Sydney International Airport delays after passport machines reportedly break down Bones found on NSW beach belong to missing French backpacker, police say Falling tree kills man and boy in their car on Monbulk Road, Sherbrooke Teen fighting for life after bus mounts kerb and ploughs into waiting passengers at busy Sydney bus interchange 'Human' bone found on Port Macquarie beach, pedestrian killed by car in Frenchs Forest Earthquake in Indian Ocean felt from Broome to Perth Damaging winds lash NSW's south-east, bringing fresh chaos to Sydney Airport البحرية المغربية تنقذ عشرات المهاجرين في المتوسط WestConnex M4 tunnels open, but some motorists struggle with new traffic conditions