The issue, present on Android versions, is similar to the known man-in-the-disk attack vector.
Though WhatsApp and Telegram tout themselves as secure messaging services, faulty developer coding that allows cyber-attackers to intercept media files sent on the Android versions of the services (like photos and videos, documents and voice memos) undercuts that claim.
The security weakness, dubbed Media File Jacking, is a variant of the “man in the disk” flaw revealed by Check Point at DEFCON last year. It arises from the fact that Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox and is not accessible by other apps; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. So, if a user takes a picture and then wants to send it to someone using a messaging app, the external storage is the platform that allows this to happen.
By default, WhatsApp stores media files received by a device in external storage. In Telegram, the app does so if a user enables the “Save to Gallery” feature. In both cases though, the services lack proper security mechanisms to prevent other apps with write-to-external storage permissions to access the files, researchers said.
Exacerbating the issue is a time lapse between when media files are received and written to disk, and when they show up in users’ chats, according to researchers. During that short window, malicious actors can intervene and access the files without the user’s knowledge, despite the fact that the apps use end-to-end encryption.
Thus, adversaries can convince someone to download a rogue app (via various social-engineering techniques) with write-to-external storage permissions, which can wait and silently listen for a media file to be written to the external storage disk. It can then instantaneously copy or manipulate the file (or just replace it with another file entirely) before it shows up in the recipient’s chat window.
Original story reported by ThreatPost.com • Threatpost is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.