Have you heard of media file jacking attacks? This is the type of attack where malicious actors become capable of manipulating media files. Unfortunately, the media file jacking attack is not hypothetical.
Symantec’s Modern OS Security team just reported that WhatsApp and Telegram are both vulnerable to this attack. WhatsApp for Android, in particular, is vulnerable by default, where Telegram for Android is when specific features are enabled.
Where Does the File Jacking Vulnerability Stem From?
“It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume”, the researchers explained in their report.
The critical time lapse opens a gate for attackers to intercept and manipulate media files. Of course, this is done without the knowledge or permission of the Android device’s owner. In case of a successful exploit, sensitive information could be abused or altered, including personal photos and videos, important documents, invoices, voice memos. Furthermore, threat actors could also exploit the relations between a sender and a receiver in a communication to their personal gain.
The main concern with this vulnerability, however, lies elsewhere:
The Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption.
Media File Jacking Attack: the Consequences
The attack is similar to the so-called man-in-the-disk attack. Shortly put, a malicious app installed on a recipient’s device can be used to hijack private media files which are sent via the device’s external storage.
Basically, there are four attack scenarios stemming from the media file jacking vulnerability.
1. Image manipulation, where “a seemingly innocent, but actually malicious, app downloaded by a user can manipulate personal photos in near-real time and without the victim knowing.”
2. Payment manipulation, where “a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account.”
3. Audio message spoofing, where “an attacker exploits the relations of trust between employees in an organization.”
4. Fake news spread via Telegram: “In Telegram, admins use the concept of “channels” to broadcast messages to an unlimited number of subscribers who consume the published content. An attacker can change the media files that appear in the channel feed in real time.”
The Symantec security team has notified both Telegram and Facebook about the media file jacking vulnerability. It is highly likely that Google will address the problem with the release of Android Q. Further details about addressing the issue are available in the report.
It is noteworthy that in August 2018, a particular vulnerability in WhatsApp could allow malicious users to infiltrate group chats and manipulate the messages of individual users. The hackers could take advantage of the malicious method and abuse it to intercept and change contents of messages sent in private conversations or large group chats.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me:
Easy fix, store a hash of image as well as location.
Hardly a big issue anyway… oh no images don’t match text under them.. #obvious hack…
Don’t seem to see these kind of stories about facebook who have an exploit almost every week as bad as this? Guess we know who’s paying the news feed. #obvious
#done