Instant Messaging Apps For Desktop: How Secure Are They?

TL;DR: Instant messaging apps for desktop use give attackers more vulnerabilities to exploit. Different vulnerabilities found in desktop messengers can be seen here.

It’s not exactly a secret that the more ground you cover, the more ground you have to protect.

And although it sounds like the most obvious thing ever, we as users do not implement this line of thinking into our user habits.

Case in point - we heavily use the instant messaging apps for desktop versions of secure instant messengers without knowing much about their security. 

Constant Trade-Off Between Convenience And Security 

Today we can find a lot of secure messengers spreading to desktops, being available on Mac, Windows, Linux.

Although that makes the products more friendly in the eyes of the public, that flexibility increases user’s productivity, and supposedly covers them on multiple fronts, the reality is different. Desktop messengers have proven to have way more vulnerabilities.

Everything can be explained by one little fact - smartphones were designed in an already connected world, unlike computers, that made it connected in the first place. Mobile devices started with a very different security model to computers, benefitting from the mistakes made by others in the past.

If we look at Common Vulnerabilities and Exposures (CVE) entries, we will see that instant messaging apps for desktop give attackers more chances to succeed. 

7 Times Desktop Messengers Showed Their Vulnerability

Just saying that desktop versions are shaky wouldn’t be enough. 

Therefore, let’s look over a shortened list of discovered CVEs in two of the more secure messengers known to the general public - Signal and Telegram, and consumer-oriented apps like Viber and Whatsapp.

1. CVE-2018-14023
   Signal Desktop version 1.14.3 was vulnerable to the recovery of expired messages. Expired messages were still previewed in the contact list, meaning that information was stored somewhere, also meaning it could be extracted with local access.
2. CVE-2018-17780
   Telegram Desktop 1.3.14, and Telegram 3.3.0.0 WP8.1 on Windows, leaked end-user public and private IP addresses during a call because of an unsafe default behavior in which P2P connections are accepted from clients outside of the “My Contacts” list.
3. CVE-2018-11101
   Signal Desktop through 1.10.1 failed to sanitize specific HTML elements that can be used to inject HTML code into remote chat windows when replying to an HTML message. 
4. CVE-2019-9970 and CVE-2019-10044
   Signal Desktop through 1.23.1 and Telegram Desktop before 1.5.12 on Windows could be exploited by an IDN homograph attack when displaying messages containing links. Due to this vulnerability, the app produced a clickable link even if Latin and Cyrillic characters existed in the same domain name, enabling spoofing.
5. CVE-2018-17613
   Telegram Desktop 1.3.16 alpha, when "Use proxy" is enabled, sends credentials and application data in cleartext over the SOCKS5 protocol.
6. CVE-2019-12569
   Viber for desktop before 10.7.0 on Windows had a vulnerability that could allow an adversary to execute arbitrary commands on a targeted system due to unsafe search paths used by the application URI. 
7. CVE-2019-3571
   WhatsApp Desktop versions before 0.3.3793 allowed attackers to send files that would be displayed with a wrong extension.

The list could continue for some time, but these examples show exactly how many different vulnerabilities there are. 

While Signal and Telegram are boasting a better reputation than Viber and Whatsapp in security circles, this brief research shows that nobody is perfect, and that desktop instant messaging apps are especially vulnerable to exploitation.

To finalize, sometimes the multi-platform benefit plays not only in the favor of users but also in the hands of possible detractors.