If you are relieved and content with the latest security update WhatsApp or Telegram might have provided, You must think again and there are some reasons to be worried. Researchers from cyber-security firm Symantec on Monday revealed the vulnerabilities that allowed hackers to manipulate the images and audio files you receive on these platforms. Though provided with end-to-end encryption, your data isn’t immune to hacking.
The security flaw, dubbed “Media File Jacking”, affected WhatsApp for Android by default, and Telegram for Android if certain features were enabled, Symantec researchers said in a blog post.
According to the researchers, WhatsApp saves files to external storage automatically, while Telegram does so when the “Save to Gallery” feature is enabled. However, neither apps have any system in place to protect users from a Media File Jacking attack, the researchers from Symantec’s Modern OS Security team explained.
This vulnerability can be exploited to scam victims in various ways.
“If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos,” wrote Software Engineer Alon Gat and Yair Amit, Vice-President and Chief Technology Officer, Modern OS Security, Symantec.
Giving an example of image manipulation, the researchers said a seemingly innocent, but actually malicious, app downloaded by a user could manipulate personal photos in near-real-time and without the victim knowing.
The app runs in the background and performs a “Media File Jacking attack” while the victim uses WhatsApp. It monitors for photos received through the app, identifies faces in photos, and replaces them with something else, such as other faces or objects.
“A WhatsApp user may send a family photo to one of their contacts, but what the recipient sees is actually a modified photo. While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly,” said the blog post.
Using the same vulnerability, the attackers could make payment manipulation, audio message spoofing or spread fake news.
Hacking and Data theft are a classic example of how technology and the internet, primarily meant to benefit and provide a range of services to us can be used in a menacing manner as well. However, the proper way to deal with the problem would be to focus on overall digital awareness and literacy on one side and simultaneously create a robust cybersecurity infrastructure on another.