How Secure Messengers Get Compromised Through Media Files
9 Apr 2021
Since the dawn of days, people have created images and symbols to pass on the knowledge, mark significant events, express their emotions. And way before that, the first ‘content creators’ to ever walk the Earth have just drawn things for ‘wit and giggles’.
That need for expression and entertainment lasted with us from cave paintings of the Upper Paleolithic era to the ugly reality of pandemic years.
The only difference is we don’t need to draw animals under the dim tunnel light today. We already have those drawn up and animated for us, ready to be sent to another part of the world in mere seconds. Sharing animated stickers in messengers is how many of us choose to communicate in 2021.
We’ve come a long way to get here, but some things are always the same. People still look for ways to steal from each other, and fool the fellow man using lies, tricks, and illusion. And yes, today we can do it through fancy pictures, animated GIFs, funny videos, etc.
In this blog post we will review exactly how multimedia can be used to trigger both spectrums of human curiosity, thus accommodating digital theft via instant messengers.
Free Stickers for Your Mobile Number. Anyone?
Entertainment is the least talked about weapon in the world.
It can be the most dangerous one too, as people can be manipulated far more easily when they have high levels of endorphin flowing in their systems.
Alongside dopamine, serotonin, oxytocin, this hormone makes people feel good, which is understandably a state we prefer to be in. Sometimes we tend to make wrong choices under its influence, and we always chase this feeling. This ‘chase’ is what makes us susceptible to different kinds of attacks.
Digital susceptibility in particular is based on the following personality factors: curiosity, entertainment drive, boredom, and lack of focus. All four bases are easily covered in instant messengers that can be weaponized and exploited with multimedia-leveraging attacks.
Let’s get to examples. For the first one, we will just let you know that stickers can be used in social engineering schemes. There has been a WhatsApp scam that offered you free stickers in exchange for your phone number and some spamming services on your behalf.
This ploy could be effective for numerous reasons:
- People like to get things for free, especially when some value is attached to them;
- People like to share content, and sometimes that overlaps with spamming;
- People like to find unique content, as it is fresh and engages far more emotions.
Some of you may think that this scam is too simplistic to be effective, but scams don’t have to be overcomplicated to do the job. In similar fashion people can also lose their hard-earned money chasing premium-looking applications. So much for an ice cream wallpaper and asteroids...
As Bruce Schneier, american cryptographer and computer security professional once said, “The user’s going to pick dancing pigs over security every time!” Now pigs can be animated too. Security doesn’t stand a chance now.
But really, animated stickers can also be exploited in a technical manner, it’s not only an effective bait for social engineering scams.
Telegram Chats In a Sticky Situation?
Just recently we have found out about the now-patched Telegram vulnerabilities in iOS, Android, and macOS.
“Polict”, a vulnerability researcher and exploit developer from Italian security firm Shielder, analyzed Telegram code following the arrival of animated stickers in 2019, to find out how they worked under-the-hood.
While carrying out his research on lottie animation format and its integration in mobile apps, “Polict” discovered 13 (!) different vulnerabilities: two heap out-of-bound reads, one heap out-of-bounds write, one stack out-of-bounds read, one stack out-of-bounds write, one integer overflow leading to heap out-of-bounds read, five denial-of-service, and two type confusion flaws.
All the discovered flaws existed in this lottie library. They made it possible for an adversary to just send a malicious animated sticker to the target recipient, gaining access to secret chats with extra sensitive messages and media files. Exploiting those vulnerabilities proved to be a challenge, but not enough of a challenge to stop or discourage sophisticated threat actors such as numerous Advanced Persistent Threat groups.
“This research helped me understand once more that it’s not trivial to limit attack surfaces at scale in end-to-end encrypted contexts without losing functionalities.” - shares @Polict_.
From the research we also found out that some malicious stickers couldn't be sent via unencrypted chats, which brings a question whether Telegram has a filtering option on uploaded stickers. This wasn't an issue with encrypted Telegram chat, because files there are E2E encrypted. Since messages are encrypted without being validated, the messenger is effectively blind to the content, unable to prevent malicious content from being sent.
If you have updated Telegram in the last four months, you are safe from sticker exploits. Always take time to update the app, both on mobile and desktop!
Other Things to Remember and Keep In Mind
Weaponized images and multimedia files sent in messengers have been around the block for quite some time now, and Telegram is, of course, not the only offender.
If we look back, we will be able to remember how Symantec researchers discovered media file vulnerability in WhatsApp and Telegram, where apps stored media to publicly accessible file directories, which in turn left them vulnerable to manipulation, or in more simple words, could allow attackers to alter messages you see on your phone.
That is, if you own an Android, because this vulnerability is centered around how Android stores data after receiving it. Attackers also required a properly coded, third-party application to intercept media saved via WhatApp or Telegram from accessible directories. While this is a complicated method, one of its potential “use cases” is the modification of PDF invoices. So this is not only a case of compromised communications, but also a prospect of serious monetary losses.
The research team of another big company, Check Point, has also disclosed an attack against WhatsApp and Telegram web versions in 2017. That vulnerability allowed malicious third parties to take over accounts by sending targeted users seemingly harmless images containing malicious code. When opened, it allowed adversaries to overtake the account on any browser, and access personal information of the victim.
Photos, videos, personal and group conversations, contact lists could all be compromised, and the user wouldn’t have a clue about it, because Telegram allows users to keep as many active sessions as they want at the same time.
You might also want to know that desktop versions of the most popular messengers were also riddled with vulnerabilities in the past, largely due to their expanded attack surface. Too many to list here, in fact.
Stickers or Security? The Choice Is Yours
From this blog post it becomes clear that security messengers can be exploited by GIFs, videos, and animated stickers.
We’re not telling you to stop using stickers altogether, of course, but those have the potential to spread further inside the messenger, affecting lots of users at once. We are just providing you with a risk perspective that can hide behind a simple moment of fun. What you decide to do is only your business. Perhaps stickers are the most important thing for some of us.
One of the more reputable messengers in Signal seems to value them a lot, as it now takes a course on world domination by adding encrypted stickers.
Will it attract more people? Not as much as WhatsApp’s privacy policy updates, that’s for sure.
The stance on animated stickers varies from application to application. You may want to know that StealthTalk doesn’t have any stickers, nor plans to add them in the future. Not that we don’t like to have fun, but this game is just not worth the candle.
If you prioritize security-based features over bells and whistles, be welcome to check out StealthTalk on App Store and Play Market.