Cybersecurity firm Symantec recently found a serious security flaw — called Media File Jacking — in popular messaging apps WhatsApp and Telegram. The vulnerability manipulates and alters the media files — including images, audio files, and documents.
Both WhatsApp and Telegram are secured by end-to-end encryption but the vulnerability exploits the short space of time between a smartphone writing a media file — when media files received through the apps are written to a disk and when they are loaded in an app’s chat user interface.
Usually, on Android, apps can choose where to save media, like images and audio files — they can choose either internal storage that is only accessible through the app or external storage which is more widely available to other apps. Files saved to internal device storage cannot be exploited by a third-party app, but files saved to external storage can—external storage is “public directory and world-readable/writeable.” WhatsApp and Telegram use external storage to save media files by default.
So if a user downloads a malicious app which has access to external storage could be used to access WhatsApp and Telegram media files and manipulate the image without the receiver ever noticing. Think of a photo or video swapped out, financial account details being changed over, or news features being manipulated.
Symantec explains, “Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption.” Symantec argues for app developers to include measures to check the integrity of media files before moving them from external storage into the app user interface, pointing out that “neither apps have any measures in place to protect their users” as things stand.
How to stay safe from Media File Jacking?
To stay safe from Media File Jacking, users must have to change both WhatsApp and Telegram settings that allow the application to saves media files to external storage.
In WhatsApp disable Media Visibility settings by going to “Settings > Chats > Media Visibility“.
And in Telegram, disable Save to Gallery option by going to “Settings > Chat Settings > Save to Gallery“.