Symantec vice president and chief technology officer for modern operating system security Yair Amit and Alon Gat, a software engineer on the company’s modern OS security team, detailed the vulnerability in a blog post.
They said the vulnerability occurs during the time between when a file received via one of the affected messaging apps is written to disk and when it is loaded into the app’s user interface.
If exposed, malicious attackers and cybercriminals could potentially manipulate those media files without people’s knowledge, including personal photos and videos, corporate documents, invoices and voice memos.
A spokesperson for WhatsApp said the only way this vulnerability could become an issue is if a user’s device was already compromised by malware, which would affect all apps running on the device, and not just WhatsApp and Telegram.
The vulnerability does not represent an issue with the security provided by end-to-end encryption, the spokesperson added, providing the following statement: “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development.”
Telegram had not responded to a request for comment at the time of this post.
Amit and Gat wrote, “The Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM (instant messaging) apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption … However, as we’ve mentioned in the past, no code is immune to security vulnerabilities. While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code. What the Media File Jacking research we found demonstrates is that attackers may be able to successfully manipulate media files by taking advantage of logical flaws in the apps that occur before and/or after the content is encrypted in transit.”
They also provided the following suggestions for changes users should make to their settings on WhatsApp and Telegram:
However, the WhatsApp spokesperson cautioned, “The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”
Android Q, the 10th major release and 17th version of the OS, is slated to be released sometime during the third quarter of the year, and Amit and Gat said it includes changes to the way apps access files on external storage, adding that its scoped storage feature may help avoid similar vulnerabilities.