*** The vendor has addressed these issues and we updated our advisory accordingly *** [Original post here: http://ift.tt/2pVKCGC] SUMMARY WhatsApp Messenger for Android does not delete sent and received files from the SD card on the device when chats are cleared, deleted or the application is uninstalled from the device. Additionally, the application stores sent and received files in the SD card without encryption where they are accessible to any applications with storage permissions. The vendor (Facebook) doesn’t consider these to be security issues and does not plan to fix them. MITRE has assigned CVE-2017-8769 for these issues. It is also unclear whether platforms other than Android are affected. [UPDATE: 09/06/2017 – a recent update to WhatsApp for Android now displays an option to delete media files when deleting chats and that option is checked by default. The change to the UI mitigates the issues discussed in this advisory. Users are encouraged to update to v2.16.323 or later.] BACKGROUND WhatsApp Messenger is a popular cross-platform communication tool that allows users to send and receive messages without using more expensive protocols like SMS. Additionally the application allows sending and receiving of files including audio, contacts, images, videos and arbitrary documents. It is estimated that WhatsApp has over 1 billion active users and it is owned by Facebook, which also operates the largest social networking site in the world. One of the main selling points that WhatsApp makes is their commitment to user privacy which revolves around the implementation of end-to-end encryption via the Signal protocol originally developed by Open Whisper Systems. This encryption makes it impossible for Facebook to monitor and capture message traffic flowing between users. In some extreme cases, Facebook executives have been placed in jail for the failure to allow access to messaging data when requested by governments. Because of the high expectation of privacy by WhatsApp user, it is important that the security of the application on the device is also properly implemented. In regards to messages, WhatsApp stores them in encrypted database but it fails to do the same for files. WhatsApp also does not clear files received or sent by the user when the chats are cleared. This can result in user data being leaked or stolen by malicious applications, law enforcement during illegal searches or unwanted actors having access to the device (“evil maid scenario”). DETAILS As mentioned above, WhatsApp has ability to send and receive files in addition to regular messages. This functionality includes arbitrary documents from the file system, contacts, location information, and various type of multimedia files including two separate audio formats (voice notes and recordings), images and videos. There is also more recent functionality around “status” images which disappear after 24 hours. In order for WhatsApp to access the SD card, users must grant storage permissions but in practice most users do so in order to be able to exchange files. In our research, we have found that WhatsApp for Android stores these files on the SD card where they are accessible to other applications and does not delete them when chats are cleared, deleted or the application is uninstalled. Both sent and received files are retained. They are retained on the SD card in the following folder: - /WhatsApp/Media/ We have observed that the following file types are retained and not deleted: - /WhatsApp/Media/.Statuses/ - /WhatsApp/Media/WhatsApp Audio/ - /WhatsApp/Media/WhatsApp Documents/ - /WhatsApp/Media/WhatsApp Images/ - /WhatsApp/Media/WhatsApp Video/ - /WhatsApp/Media/WhatsApp Voice Notes/ To replicate the issue: 1. Install WhatsApp for Android. 2. Login and exchange messages with another user that contain any of the file type listed above. 3. Then, install any file manager for Android. 4. Navigate to the SD card, and observe the files sent and received being located in the directories described above. As the next step, try to delete a chat by tapping on the chat, holding until the delete option comes up. Delete the chat, and go back to the file manager to check. As the next step, try going to “Settings”, “Chats”, “Chat History” and selecting either “Clear all chats” or “Delete all chats”. Go back to the file manager and observe the media files still being present. As the next step, uninstall WhatsApp. Go back to the file manager, and observe the media files still being there. All testing was done on Android 7, and WhatsApp Messenger v2.17.146. It is unclear whether other platforms are affected. VENDOR RESPONSE AND MITIGATION STEPS The vendor (Facebook) doesn’t consider these to be security issues and has no plans to fix them. Vendor response is as follows:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment