Security firm Symantec says it has found a security flaw in the Android apps for WhatsApp and Telegram, which could allow hackers to "manipulate" files transferred between users.
According to a Symantec blog published Monday, the flaw relates to the fact that the messaging apps can save files such as photos or videos automatically to your phone's gallery or external storage. This is something WhatsApp does automatically unless a user opts out in the settings. Telegram users can enable the feature.
The security flaw becomes an issue if a user happens to also have malware on their device that has access to and can alter the phone's external storage. It would allow hackers to intercept media files being sent between users and potentially alter them. Symantec terms the attack "Media File Jacking."
One example given by Symantec is that a hacker could intercept and alter a photo. Here is a video of how a hacker could modify an image, replacing the faces of the people in the photo with actor Nicolas Cage.
"While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly," said Symantec.
The company added that the flaw could also be used to alter payments or voice notes. "In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account," said Symantec.
The company also hypothesised that the hack could be used to propagate misinformation in Telegram "channels," which are used to broadcast messages to large numbers of users.
Symantec's blog makes multiple recommendations to WhatsApp and Telegram of changes to file validation and storage to patch up the vulnerability. However, a WhatsApp spokeswoman pushed back against Symantec's suggestions.
"WhatsApp has looked closely at this issue and it's similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android's ongoing development.
The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared," she said.
Business Insider understands that WhatsApp hasn't found evidence of the exploit being used in the wild.
Telegram was not immediately available for comment when contacted by Business Insider.
Per WhatsApp's statement, the vulnerabilities around external storage on phones have come up before and could affect apps other than messaging services.
Symantec recommends that users can mitigate any risk by disabling their apps from saving media files to external storage. In WhatsApp you can do this by going to Settings/Chats/Media Visibility, although a WhatsApp spokesperson said that while changing this setting in WhatsApp will help organize your media, it won't prevent the files from being stored externally. In Telegram you can follow Settings/Chat Settings/Save to Gallery.
WhatsApp's security also came under fire in May after it discovered that hackers had been installing spyware on targets' phones simply by calling them on the app.
According to a Symantec blog published Monday, the flaw relates to the fact that the messaging apps can save files such as photos or videos automatically to your phone's gallery or external storage. This is something WhatsApp does automatically unless a user opts out in the settings. Telegram users can enable the feature.
The security flaw becomes an issue if a user happens to also have malware on their device that has access to and can alter the phone's external storage. It would allow hackers to intercept media files being sent between users and potentially alter them. Symantec terms the attack "Media File Jacking."
One example given by Symantec is that a hacker could intercept and alter a photo. Here is a video of how a hacker could modify an image, replacing the faces of the people in the photo with actor Nicolas Cage.
"While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly," said Symantec.
The company added that the flaw could also be used to alter payments or voice notes. "In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account," said Symantec.
The company also hypothesised that the hack could be used to propagate misinformation in Telegram "channels," which are used to broadcast messages to large numbers of users.
Symantec's blog makes multiple recommendations to WhatsApp and Telegram of changes to file validation and storage to patch up the vulnerability. However, a WhatsApp spokeswoman pushed back against Symantec's suggestions.
"WhatsApp has looked closely at this issue and it's similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android's ongoing development.
The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared," she said.
Business Insider understands that WhatsApp hasn't found evidence of the exploit being used in the wild.
Telegram was not immediately available for comment when contacted by Business Insider.
Per WhatsApp's statement, the vulnerabilities around external storage on phones have come up before and could affect apps other than messaging services.
Symantec recommends that users can mitigate any risk by disabling their apps from saving media files to external storage. In WhatsApp you can do this by going to Settings/Chats/Media Visibility, although a WhatsApp spokesperson said that while changing this setting in WhatsApp will help organize your media, it won't prevent the files from being stored externally. In Telegram you can follow Settings/Chat Settings/Save to Gallery.
WhatsApp's security also came under fire in May after it discovered that hackers had been installing spyware on targets' phones simply by calling them on the app.