If you thought that an instant messaging platform like Whatsapp and Telegram that provides end-to-end encryption, give you rock-solid protection, shield(security) again.
Cyber-security firm Symantec researchers have disclosed the weaknesses on Monday, which allows hackers to manipulate the images and audio files found on these platforms.
A security flaw called “media file jacking”, affects Whatsapp by default for Android, and on enabling telegram certain features for Android, Symantec researchers said in a blog post.
According to the researchers, Whatspeps automatically saves files in external storage, while telegram does so when the “Save to Gallery” feature is enabled.
However, there is no system in the app to protect users from the media file jacking attack, researchers from Symantec’s Modern OS Security team explained.
The attackers could take advantage of this vulnerability of the victims in various ways.
Software engineer Alon Gat and Amr Amit, Vice-President and Chief Technology Officer have written,
“If a security threat is exploited, then misuse of sensitive information like a malicious attacker private photos and videos,
corporate documents, invoices and voice memos. And can manipulate. “, Modern OS Security, Symantec
Giving an example of image manipulation, the researchers said that it is very innocent, but in reality a malicious,
the user-uploaded app can manipulate individual photographs in near-real-time and without knowing the victim
The app runs in the background and “attacks the media file jacking”, while the victim uses the WhatsApp.
It monitors for photos received through the app, identifies faces in photos, and replaces them with something else, such as other faces or objects.
“A whitespace user can send a family picture to one of their contacts, but the recipient who sees is actually a modified photo,
although this attack can be trivial and just a nuisance, to manipulate images on the fly, “They said,” They said, “they said. blog post.
Using the same vulnerability, invading attack manipulation, audio message spoofing or fake news can spread.
“In one of the most harmful media file jacking attacks, a malicious actor can manipulate an invoice sent by a customer to a seller,
to cheat the customer is paying for an illegitimate account,” Gat and Amit wrote.
“The media file jacking hazard is especially in the light of the general perception that the new generation of IM (instant messaging) applications is immune to content manipulation and privacy risks,
thanks to the use of security mechanisms such as end-to-end encryption,” They said.
In May, reports have shown that in Bugatti’s audio call feature, the bug has allowed hackers to install spyware on Android and iOS phones only by target cells.
Spyware was allegedly developed by the Israeli Cyber Intelligence Company NSO Group.
Whatsapp said that he recognized and “immediately” fixed the vulnerability that enabled an attacker to insert and execute code on mobile devices.